CVE-2026-41278

HighPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0004 12.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41278 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Flowiseai Flowise. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match

prevent

AC-22 directly restricts the disclosure of sensitive information in publicly accessible content, mitigating the exposure of raw chatflow data including API keys via unauthenticated public endpoints.

SI-15 Information Output Filtering good match

prevent

SI-15 requires filtering of outgoing information to block sensitive data such as plaintext API keys and credentials before transmission in API responses.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification and remediation of flaws like the missing sanitizeFlowDataForPublicEndpoint function, preventing information disclosure through patching to version 3.1.0.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing API endpoint (no sanitization on /api/v1/public-chatflows/:id and public-chatbotConfig) is exploited via T1190 to retrieve raw flowData; this directly exposes plaintext credentials and API keys, facilitating T1552 Unsecured Credentials.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than…

initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. This vulnerability is fixed in 3.1.0.

Deeper analysisAI

CVE-2026-41278 is a vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. In versions prior to 3.1.0, including the v3.0.13 Docker image, the GET /api/v1/public-chatflows/:id endpoint exposes the full chatflow object without sanitization for public chatflows. Additionally, the public-chatbotConfig endpoint returns completely raw flowData, disclosing sensitive information such as credential IDs, plaintext API keys, and password-type fields. This issue stems from the absence of the sanitizeFlowDataForPublicEndpoint function in released images and is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited by any unauthenticated attacker with network access who knows or guesses the public chatflow ID. By sending a simple GET request to the affected endpoints, attackers can retrieve raw flowData containing highly sensitive credentials, enabling unauthorized access to integrated services like LLM APIs. No user interaction or privileges are required, making it straightforward to extract and misuse API keys or other secrets embedded in the chatflows.

The Flowise security advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w47f-j8rh-wx87 confirms the issue and states that it is fixed in version 3.1.0, recommending immediate upgrades for all prior installations, particularly those exposing public chatflows.

This vulnerability is particularly relevant to AI/ML deployments, as Flowise is designed for LLM orchestration, potentially exposing keys to external AI services in production environments. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-04-23.

Details

CWE(s): CWE-200

Affected Products

flowiseai

flowise

≤ 3.1.0

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: large language model

CVEs Like This One

CVE-2026-41266Same product: Flowiseai Flowise

CVE-2026-41272Same product: Flowiseai Flowise

CVE-2026-41277Same product: Flowiseai Flowise

CVE-2026-41274Same product: Flowiseai Flowise

CVE-2026-30824Same product: Flowiseai Flowise

CVE-2026-41270Same product: Flowiseai Flowise

CVE-2026-41265Same product: Flowiseai Flowise

CVE-2026-41273Same product: Flowiseai Flowise

CVE-2026-41276Same product: Flowiseai Flowise

CVE-2026-31829Same product: Flowiseai Flowise

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w47f-j8rh-wx87
Exploit, Vendor Advisory · security-advisories@github.com