Skip to content
CVSS 7.5 · HIGH

CVE-2026-41266

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.

Ver en NVD

Análisis

Flowise versions before 3.1.0 leak sensitive credentials, including API keys and HTTP authorization headers, through a public API endpoint. If you use Flowise to build LLM workflows, an attacker can steal your stored secrets by simply identifying your chatflow UUID. You should upgrade to version 3.1.0 immediately to secure your environment.

Severidad

Puntaje: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: NONE
A: NONE
Tipo de falla (CWE): CWE-200CWE-522CWE-862

EPSS

Probabilidad de explotación (próx. 30 días): 0.0004 (0.0%)
Percentil: 12.9%
EPSS: 2026-05-06

Afecta

flowiseai:flowise

Descripción técnica

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.

Publicada: 23/4/2026, 20:16:15
Última modificación: 25/4/2026, 2:16:02

Referencias

InicioEventosBlogRecursosEquipo