Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-41274

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

Ver en NVD

Análisis

Flowise versions prior to 3.1.0 are vulnerable to a critical Cypher injection flaw in the GraphCypherQAChain node. Attackers can bypass sanitization to execute arbitrary commands on the underlying Neo4j database, which can lead to total data theft or destruction. If you are using Flowise for LLM orchestration, you should upgrade to version 3.1.0 immediately.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-943

EPSS

Probabilidad de explotación (próx. 30 días): 0.0010 (0.1%)
Percentil: 27.2%
EPSS: 2026-05-06

Afecta

flowiseai:flowise

Descripción técnica

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

Publicada: 23/4/2026, 22:16:38
Última modificación: 4/5/2026, 18:33:02

Referencias

InicioEventosBlogRecursosEquipo