CVE-2026-41273: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contain
highvulnerabilityLLM-Specific
security
Summary
Flowise, a tool for building customized AI workflows with a drag-and-drop interface, had a security flaw in versions before 3.1.0 that let attackers bypass authentication (skip the login process) and steal OAuth 2.0 access tokens (credentials that grant permission to access other services). Attackers could access public chatflow configuration endpoints (URLs that show workflow settings) to find OAuth credential identifiers and use them to obtain valid access tokens without needing to log in.
Solution / Mitigation
Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
April 23, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41273
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 92%