Skip to content
CVSS 7.5 · HIGH

CVE-2026-41266

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.

View on NVD

Analysis

Flowise versions before 3.1.0 leak sensitive credentials, including API keys and HTTP authorization headers, through a public API endpoint. If you use Flowise to build LLM workflows, an attacker can steal your stored secrets by simply identifying your chatflow UUID. You should upgrade to version 3.1.0 immediately to secure your environment.

Severity

Score: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: NONE
A: NONE
Weakness (CWE): CWE-200CWE-522CWE-862

EPSS

Probability of exploitation (next 30 days): 0.0004 (0.0%)
Percentile: 12.9%
EPSS: 2026-05-06

Affects

flowiseai:flowise

Technical description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.

Published: 4/23/2026, 8:16:15 PM
Last modified: 4/25/2026, 2:16:02 AM

References

HomeEventsBlogResourcesTeam