CVE-2026-41276: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerabil
Summary
Flowise, a tool for building customized AI language model workflows through a visual interface, had a security flaw in versions before 3.1.0 that let attackers reset any user's password without authorization. The vulnerability existed because the password reset function didn't verify that a valid reset token had been created, so attackers could submit a request with an empty or null token value (which is the default) to change a user's password if they knew the victim's email address.
Solution / Mitigation
This vulnerability is fixed in version 3.1.0. Update Flowise to version 3.1.0 or later.
Vulnerability Details
EPSS: 0.0%
April 23, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41276
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 95%