CVE-2026-41268: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vuln
criticalvulnerabilityLLM-Specific
security
Summary
Flowise, a tool that lets users visually design custom AI workflows, has a critical vulnerability in versions before 3.1.0 that allows attackers to run any system commands they want without logging in. An attacker can exploit this by using a special keyword (FILE-STORAGE::) and injecting code into an environment variable (NODE_OPTIONS) through a single web request, gaining full control of the Flowise system.
Solution / Mitigation
Upgrade Flowise to version 3.1.0 or later, where this vulnerability is fixed.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
April 23, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41268
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 95%