AI Threat Alert
CVE-2026-41266: Flowise: unauthenticated API key exposure via chatbot config
HIGH PoC AVAILABLE CISA: TRACK*Flowise's public chatbot configuration endpoint exposes API keys, HTTP authorization headers, and internal secrets to any unauthenticated caller who knows a chatflow UUID—a value routinely leaked through client-side JavaScript, shared links, or browser history. The blast radius is significant: Flowise acts as an orchestration hub connecting LLM providers (OpenAI, Anthropic), vector databases, and enterprise tool integrations, meaning a single endpoint hit can cascade into full credential compromise across an entire AI stack. While the raw EPSS score is low, it sits in the 87th percentile for exploitation likelihood and a public PoC already exists—making this trivially weaponizable by non-expert attackers. Upgrade to Flowise 3.1.0 immediately and rotate all credentials stored in chatflow configurations, including LLM provider API keys and any HTTP auth tokens.
What is the risk?
HIGH. CVSS 7.5 with network-accessible, zero-authentication, zero-interaction exploitation. The vulnerability (CWE-862 missing authorization + CWE-522 insufficiently protected credentials) is architecturally severe for AI deployments: Flowise stores production LLM API keys directly in chatflow config, so credential theft translates immediately to unauthorized LLM API access and potential cost fraud. The package has 59 prior CVEs, indicating a historically weak security posture. SSVC TRACK_STAR status signals active attention from threat analysts. Public PoC lowers the bar to script-kiddie level.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | — | No patch |
Do you use Flowise? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Upgrade to Flowise 3.1.0 immediately—this is the only complete fix.
-
Rotate all credentials stored in Flowise chatflow configurations: LLM provider API keys, HTTP auth headers, database passwords, webhook tokens.
-
Audit access logs for GET requests to
/api/v1/public-chatbotConfig/to identify potential prior exploitation. -
If patching is delayed, block access to
/api/v1/public-chatbotConfig/at the WAF or reverse proxy layer. -
Going forward, prefer environment variables or a secrets manager (Vault, AWS Secrets Manager) over inline credential storage in chatflow configs.
-
Run the public PoC in a staging environment to confirm exposure before and after patching.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-41266?
Flowise's public chatbot configuration endpoint exposes API keys, HTTP authorization headers, and internal secrets to any unauthenticated caller who knows a chatflow UUID—a value routinely leaked through client-side JavaScript, shared links, or browser history. The blast radius is significant: Flowise acts as an orchestration hub connecting LLM providers (OpenAI, Anthropic), vector databases, and enterprise tool integrations, meaning a single endpoint hit can cascade into full credential compromise across an entire AI stack. While the raw EPSS score is low, it sits in the 87th percentile for exploitation likelihood and a public PoC already exists—making this trivially weaponizable by non-expert attackers. Upgrade to Flowise 3.1.0 immediately and rotate all credentials stored in chatflow configurations, including LLM provider API keys and any HTTP auth tokens.
Is CVE-2026-41266 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-41266, increasing the risk of exploitation.
How to fix CVE-2026-41266?
1. Upgrade to Flowise 3.1.0 immediately—this is the only complete fix. 2. Rotate all credentials stored in Flowise chatflow configurations: LLM provider API keys, HTTP auth headers, database passwords, webhook tokens. 3. Audit access logs for GET requests to `/api/v1/public-chatbotConfig/` to identify potential prior exploitation. 4. If patching is delayed, block access to `/api/v1/public-chatbotConfig/` at the WAF or reverse proxy layer. 5. Going forward, prefer environment variables or a secrets manager (Vault, AWS Secrets Manager) over inline credential storage in chatflow configs. 6. Run the public PoC in a staging environment to confirm exposure before and after patching.
What systems are affected by CVE-2026-41266?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM API integrations, chatbot deployments, no-code/low-code AI builders, RAG pipelines.
What is the CVSS score for CVE-2026-41266?
CVE-2026-41266 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.35%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0002.002 AI Agent Configuration AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration AML.T0084 Discover AI Agent Configuration AML.T0091.000 Application Access Token Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.
Exploitation Scenario
An attacker identifies a public Flowise instance via Shodan, Censys, or by targeting an organization known to use the product. They extract a chatflow UUID from client-side JavaScript embedded in a public-facing chatbot widget or from a shared demo link posted on social media. They issue a single unauthenticated HTTP GET to `/api/v1/public-chatbotConfig/<UUID>` and receive a JSON response containing the full chatflow configuration including plaintext OpenAI API keys, Anthropic API keys, and any HTTP auth headers configured for tool integrations. With these credentials, the attacker begins making API calls at the victim's expense, accesses connected vector databases to exfiltrate RAG content, and potentially pivots to other integrated enterprise systems using the leaked HTTP tokens.
Weaknesses (CWE)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Primary
CWE-522 Insufficiently Protected Credentials
Primary
CWE-862 Missing Authorization
Primary
CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-56274 9.9 Flowise: RCE via MCP server command validation bypass
Same package: flowise