Cyber Resilience

CVE-2026-41278

HighPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41278 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-41278 is a vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. In versions prior to 3.1.0, including the v3.0.13 Docker image, the GET /api/v1/public-chatflows/:id endpoint exposes the full chatflow object without sanitization for public chatflows. Additionally, the public-chatbotConfig endpoint returns completely raw flowData, disclosing sensitive information such as credential IDs, plaintext API keys, and password-type fields. This issue stems from the absence of the sanitizeFlowDataForPublicEndpoint function in released images and is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited by any unauthenticated attacker with network access who knows or guesses the public chatflow ID. By sending a simple GET request to the affected endpoints, attackers can retrieve raw flowData containing highly sensitive credentials, enabling unauthorized access to integrated services like LLM APIs. No user interaction or privileges are required, making it straightforward to extract and misuse API keys or other secrets embedded in the chatflows.

The Flowise security advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w47f-j8rh-wx87 confirms the issue and states that it is fixed in version 3.1.0, recommending immediate upgrades for all prior installations, particularly those exposing public chatflows.

This vulnerability is particularly relevant to AI/ML deployments, as Flowise is designed for LLM orchestration, potentially exposing keys to external AI services in production environments. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-04-23.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than…

more

initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. This vulnerability is fixed in 3.1.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability in public-facing API endpoint (no sanitization on /api/v1/public-chatflows/:id and public-chatbotConfig) is exploited via T1190 to retrieve raw flowData; this directly exposes plaintext credentials and API keys, facilitating T1552 Unsecured Credentials.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41266Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2026-41277Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2026-41279Same product: Flowiseai Flowise
CVE-2026-40933Same product: Flowiseai Flowise
CVE-2026-41268Same product: Flowiseai Flowise
CVE-2026-41269Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-22 directly restricts the disclosure of sensitive information in publicly accessible content, mitigating the exposure of raw chatflow data including API keys via unauthenticated public endpoints.

prevent

SI-15 requires filtering of outgoing information to block sensitive data such as plaintext API keys and credentials before transmission in API responses.

prevent

SI-2 mandates timely identification and remediation of flaws like the missing sanitizeFlowDataForPublicEndpoint function, preventing information disclosure through patching to version 3.1.0.

References