Cyber Resilience

CVE-2026-41268

CriticalPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1379 96.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41268 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Flowise, a drag-and-drop interface for building customized large language model flows, is affected by CVE-2026-41268 prior to version 3.1.0. The vulnerability is an unauthenticated remote command execution flaw stemming from improper input validation (CWE-20) that permits parameter override bypass. Attackers can inject the FILE-STORAGE:: keyword alongside a NODE_OPTIONS environment variable to execute arbitrary system commands.

Any remote attacker can exploit the issue with a single HTTP request and no credentials or prior knowledge of the target, achieving root-level command execution inside the containerized Flowise instance. The CVSS 3.1 score of 9.8 reflects the combination of network accessibility, lack of required privileges or user interaction, and full confidentiality, integrity, and availability impact.

The referenced GitHub Security Advisories GHSA-cvrr-qhgw-2mm6 state that the issue is resolved in Flowise 3.1.0. No material change in EPSS is recorded, with both current and peak values at 0.0139.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass…

more

using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated RCE vulnerability in public-facing Flowise web application (T1190) enables execution of arbitrary system commands with root privileges in containerized Unix environment (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40933Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise
CVE-2026-41277Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2026-41270Same product: Flowiseai Flowise
CVE-2026-30824Same product: Flowiseai Flowise
CVE-2026-31829Same product: Flowiseai Flowise
CVE-2026-41269Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the CWE-20 improper input validation that permits the FILE-STORAGE:: parameter override and NODE_OPTIONS injection used for unauthenticated RCE.

prevent

Enforces authentication and authorization checks on all requests before any flow or storage operations can be performed, eliminating the unauthenticated single-request attack path.

prevent

Limits the impact of successful command execution by restricting the container process to non-root privileges, reducing the scope of arbitrary system commands.

References