CVE-2026-41268
Published: 23 April 2026
Summary
CVE-2026-41268 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Flowise, a drag-and-drop interface for building customized large language model flows, is affected by CVE-2026-41268 prior to version 3.1.0. The vulnerability is an unauthenticated remote command execution flaw stemming from improper input validation (CWE-20) that permits parameter override bypass. Attackers can inject the FILE-STORAGE:: keyword alongside a NODE_OPTIONS environment variable to execute arbitrary system commands.
Any remote attacker can exploit the issue with a single HTTP request and no credentials or prior knowledge of the target, achieving root-level command execution inside the containerized Flowise instance. The CVSS 3.1 score of 9.8 reflects the combination of network accessibility, lack of required privileges or user interaction, and full confidentiality, integrity, and availability impact.
The referenced GitHub Security Advisories GHSA-cvrr-qhgw-2mm6 state that the issue is resolved in Flowise 3.1.0. No material change in EPSS is recorded, with both current and peak values at 0.0139.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25285
Vulnerability details
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass…
more
using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: flowise, large language model
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE vulnerability in public-facing Flowise web application (T1190) enables execution of arbitrary system commands with root privileges in containerized Unix environment (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the CWE-20 improper input validation that permits the FILE-STORAGE:: parameter override and NODE_OPTIONS injection used for unauthenticated RCE.
Enforces authentication and authorization checks on all requests before any flow or storage operations can be performed, eliminating the unauthenticated single-request attack path.
Limits the impact of successful command execution by restricting the container process to non-root privileges, reducing the scope of arbitrary system commands.