CVE-2026-41273
Published: 23 April 2026
Summary
CVE-2026-41273 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Flowiseai Flowise. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).
Deeper analysis
CVE-2026-41273 is an authentication bypass vulnerability (CWE-306) in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. Affecting versions prior to 3.1.0, the flaw enables unauthenticated attackers to access a public chatflow configuration endpoint and retrieve internal workflow data, including OAuth credential identifiers associated with public chatflows. This exposure allows attackers to refresh and obtain valid OAuth 2.0 access tokens without authentication.
The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no privileges required. Unauthenticated remote attackers can exploit it to steal sensitive OAuth 2.0 access tokens tied to public chatflows, potentially granting unauthorized access to downstream services or resources configured in the LLM workflow.
Flowise addressed this issue in version 3.1.0. Security practitioners should upgrade to this patched release immediately. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667.
This vulnerability holds relevance for AI/ML deployments, as Flowise is designed for orchestrating LLM-based chatflows that may integrate external OAuth-protected services.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25290
Vulnerability details
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public…
more
chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: flowise, large language model
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing Flowise app enables T1190 (Exploit Public-Facing Application) for initial access; directly exposes OAuth credential IDs and allows unauthenticated retrieval/refresh of access tokens, facilitating T1528 (Steal Application Access Token).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 explicitly limits actions permitted without identification or authentication, directly preventing unauthenticated access to public chatflow configuration endpoints exposing OAuth credential identifiers.
AC-22 restricts and reviews publicly accessible content to prevent exposure of sensitive internal workflow data including OAuth credentials via public endpoints.
AC-3 enforces approved authorizations for access to system resources, mitigating the authentication bypass by blocking unauthenticated retrieval of OAuth tokens.