CVE-2026-41278: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1
Summary
Flowise, a tool that lets users build custom AI workflows through a drag-and-drop interface, had a security flaw in versions before 3.1.0 where the public API endpoint (GET /api/v1/public-chatflows/:id) exposed sensitive data without filtering. The flaw revealed credential IDs, plaintext API keys (secret codes used to access other services), and password fields in the raw workflow data, making it possible for unauthorized people to see this sensitive information.
Solution / Mitigation
Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
Vulnerability Details
EPSS: 0.0%
April 23, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41278
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 95%