Cyber Resilience

CVE-2026-41273

HighPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41273 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Flowiseai Flowise. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Deeper analysis

CVE-2026-41273 is an authentication bypass vulnerability (CWE-306) in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. Affecting versions prior to 3.1.0, the flaw enables unauthenticated attackers to access a public chatflow configuration endpoint and retrieve internal workflow data, including OAuth credential identifiers associated with public chatflows. This exposure allows attackers to refresh and obtain valid OAuth 2.0 access tokens without authentication.

The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no privileges required. Unauthenticated remote attackers can exploit it to steal sensitive OAuth 2.0 access tokens tied to public chatflows, potentially granting unauthorized access to downstream services or resources configured in the LLM workflow.

Flowise addressed this issue in version 3.1.0. Security practitioners should upgrade to this patched release immediately. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667.

This vulnerability holds relevance for AI/ML deployments, as Flowise is designed for orchestrating LLM-based chatflows that may integrate external OAuth-protected services.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public…

more

chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Authentication bypass in public-facing Flowise app enables T1190 (Exploit Public-Facing Application) for initial access; directly exposes OAuth credential IDs and allows unauthenticated retrieval/refresh of access tokens, facilitating T1528 (Steal Application Access Token).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30824Same product: Flowiseai Flowise
CVE-2025-58434Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise
CVE-2026-41277Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2026-41270Same product: Flowiseai Flowise
CVE-2026-31829Same product: Flowiseai Flowise
CVE-2026-41269Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly limits actions permitted without identification or authentication, directly preventing unauthenticated access to public chatflow configuration endpoints exposing OAuth credential identifiers.

prevent

AC-22 restricts and reviews publicly accessible content to prevent exposure of sensitive internal workflow data including OAuth credentials via public endpoints.

prevent

AC-3 enforces approved authorizations for access to system resources, mitigating the authentication bypass by blocking unauthenticated retrieval of OAuth tokens.

References