CVE-2026-41266: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-
Summary
Flowise, a tool for building customized LLM (large language model) flows through a visual drag-and-drop interface, has a vulnerability in versions before 3.1.0 where an API endpoint exposes sensitive data like API keys and authorization headers without requiring authentication. An attacker who knows only a chatflow UUID (a unique identifier) can steal credentials and other sensitive information from the system.
Solution / Mitigation
Update to Flowise version 3.1.0, where this vulnerability is fixed.
Vulnerability Details
EPSS: 0.0%
April 23, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41266
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 92%