CVE-2026-41279: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-spe
highvulnerabilityLLM-Specific
security
Summary
Flowise, a tool for building customized AI workflows with a drag-and-drop interface, had a security flaw in versions before 3.1.0 where a speech-generation endpoint didn't require authentication (authorization bypass, where access controls are bypassed by attackers) and could decrypt stored API keys when given a credential ID. This allowed attackers to retrieve sensitive credentials like OpenAI API keys without proper permission checks.
Solution / Mitigation
This vulnerability is fixed in version 3.1.0.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
April 23, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
OpenAILangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41279
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 95%