CVE-2026-41267: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mas
Summary
Flowise, a tool for building customized AI workflows through a drag-and-drop interface, had a security flaw in versions before 3.1.0 where attackers could inject malicious data during account registration. This JSON injection (inserting unauthorized code into data fields) vulnerability allowed unauthenticated users to manipulate important metadata like ownership and user roles, potentially breaking security boundaries in systems that host multiple separate organizations.
Solution / Mitigation
Update to Flowise version 3.1.0 or later, where the vulnerability is fixed.
Vulnerability Details
8.1(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
network
high
none
none
April 23, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41267
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 92%