← Retour aux CVEs
CVE-2026-41266
HIGH7.5
Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.
Details CVE
Score CVSS v3.17.5
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie4/23/2026
Derniere modification4/25/2026
Sourcenvd
Observations honeypot0
Produits affectes
flowiseai:flowise
Faiblesses (CWE)
CWE-200CWE-522CWE-862
References
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-4jpm-cgx2-8h37(security-advisories@github.com)
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-4jpm-cgx2-8h37(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.