CVE-2026-41279
Published: 23 April 2026
Summary
CVE-2026-41279 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Flowiseai Flowise. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly addresses whitelisted endpoints without authentication by requiring identification and restriction of permitted actions, preventing unauthorized access to the text-to-speech endpoint for credential decryption.
AC-3 enforces approved authorizations for access to system resources, mitigating the lack of access enforcement on the unauthenticated endpoint that decrypts and uses stored API credentials.
AC-6 applies least privilege to restrict credential decryption and TTS generation to only authorized users, countering the vulnerability's allowance of unauthenticated privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is an auth bypass on a public-facing API endpoint (T1190); exploitation allows unauthorized use of stored third-party API credentials to consume external TTS services, enabling cloud service hijacking for resource/billing impact (T1496.004).
NVD Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called…
more
without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0.
Deeper analysisAI
CVE-2026-41279 is a vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows, affecting versions prior to 3.1.0. The issue lies in the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate), which is whitelisted and accessible without authentication. This endpoint accepts a credentialId directly in the request body; when invoked without a chatflowId, it uses the supplied credentialId to decrypt stored credentials—such as OpenAI or ElevenLabs API keys—and generates speech accordingly. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access can exploit this vulnerability by sending a POST request to the endpoint, providing a valid credentialId from the target's Flowise instance and omitting the chatflowId parameter. Successful exploitation decrypts and leverages the victim's stored API credentials to generate text-to-speech audio, enabling unauthorized consumption of third-party TTS services. This can result in high-impact availability disruption, such as API quota exhaustion, excessive compute usage, or billing overages for the Flowise administrator.
The vulnerability was addressed in Flowise version 3.1.0. Additional details on the issue, including patch information, are available in the GitHub Security Advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: large language model, openai