Cyber Resilience

CVE-2026-41279

HighPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 17.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41279 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-41279 is a vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows, affecting versions prior to 3.1.0. The issue lies in the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate), which is whitelisted and accessible without authentication. This endpoint accepts a credentialId directly in the request body; when invoked without a chatflowId, it uses the supplied credentialId to decrypt stored credentials—such as OpenAI or ElevenLabs API keys—and generates speech accordingly. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability by sending a POST request to the endpoint, providing a valid credentialId from the target's Flowise instance and omitting the chatflowId parameter. Successful exploitation decrypts and leverages the victim's stored API credentials to generate text-to-speech audio, enabling unauthorized consumption of third-party TTS services. This can result in high-impact availability disruption, such as API quota exhaustion, excessive compute usage, or billing overages for the Flowise administrator.

The vulnerability was addressed in Flowise version 3.1.0. Additional details on the issue, including patch information, are available in the GitHub Security Advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called…

more

without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model, openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1496.004 Cloud Service Hijacking Impact
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.
Why these techniques?

Vulnerability is an auth bypass on a public-facing API endpoint (T1190); exploitation allows unauthorized use of stored third-party API credentials to consume external TTS services, enabling cloud service hijacking for resource/billing impact (T1496.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41277Same product: Flowiseai Flowise
CVE-2026-41267Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2026-40933Same product: Flowiseai Flowise
CVE-2026-41268Same product: Flowiseai Flowise
CVE-2026-41269Same product: Flowiseai Flowise
CVE-2026-41265Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly addresses whitelisted endpoints without authentication by requiring identification and restriction of permitted actions, preventing unauthorized access to the text-to-speech endpoint for credential decryption.

prevent

AC-3 enforces approved authorizations for access to system resources, mitigating the lack of access enforcement on the unauthenticated endpoint that decrypts and uses stored API credentials.

prevent

AC-6 applies least privilege to restrict credential decryption and TTS generation to only authorized users, countering the vulnerability's allowance of unauthenticated privilege escalation.

References