AI Threat Alert

CVE-2026-41268: Flowise: unauthenticated RCE via NODE_OPTIONS env injection

CRITICAL PoC AVAILABLE CISA: ATTEND
Published April 23, 2026
CISO Take

Flowise, the popular drag-and-drop LLM workflow builder, contains a critical unauthenticated remote code execution vulnerability where an attacker can inject NODE_OPTIONS environment variables through a FILE-STORAGE:: parameter override, achieving arbitrary OS command execution as root inside the container — all in a single HTTP request with zero credentials or prior knowledge required. Public PoC code is already available and CISA SSVC rates this ATTEND, meaning active exploitation may follow quickly; with EPSS placing it in the top 28% of likely-exploited vulnerabilities, the window for unpatched instances is narrow. Flowise deployments hold the keys to your entire AI agent ecosystem — stored LLM API keys, agent configurations, tool credentials, and connected data sources are all at risk of full compromise. Upgrade to Flowise 3.1.0 immediately; if patching is not possible, restrict network access to trusted IPs only and monitor HTTP traffic for FILE-STORAGE:: parameter patterns.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

Critical risk with high exploitability floor. CVSS 9.8 reflects the zero-prerequisite nature: network-accessible, no authentication, no user interaction, low complexity — a script-kiddie with the public PoC can exploit this in minutes. Flowise typically runs in containerized environments with root-level privileges and direct access to LLM API keys, external tool credentials, and agent workflow logic, making post-exploitation impact exceptionally high. The 59 prior CVEs in this package also suggest a systemic pattern of weak input validation that should inform long-term architectural trust decisions.

How does the attack unfold?

Discovery
Attacker scans the internet for Flowise instances via port fingerprinting (default 3000/3001) or Shodan queries targeting the Flowise UI signature.
AML.T0006
Initial Access
A single unauthenticated HTTP request is sent to the Flowise API with a FILE-STORAGE:: parameter override containing a malicious NODE_OPTIONS environment variable injection — no credentials or session required.
AML.T0049
Command Execution
Node.js processes the injected NODE_OPTIONS value, loading the attacker's payload and executing arbitrary OS commands as root within the Flowise container.
AML.T0050
Credential Harvest & Persistence
Attacker extracts all LLM API keys, database credentials, and agent tool secrets from the compromised container, then modifies Flowise agent configurations to establish persistent access and silent data exfiltration.
AML.T0083

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.4%
chance of exploitation in 30 days
Higher than 81% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch immediately: upgrade to Flowise 3.1.0 — this is the only complete fix.

  2. If patching is delayed, place Flowise behind a WAF or reverse proxy restricted to trusted IP ranges; block all unauthenticated external access.

  3. Detection: search web server logs for HTTP requests containing 'FILE-STORAGE::' in any parameter value, especially combined with NODE_OPTIONS substrings.

  4. Assume breach audit: if any Flowise instance was internet-exposed prior to patching, rotate all stored API keys, database credentials, and any secrets visible in Flowise flow configurations.

  5. Review container runtime security — ensure Flowise containers do not run as root post-patch and apply least-privilege container policies.

  6. Enumerate all Flowise instances across the organization via asset inventory before assuming coverage.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Agent Framework AML.T0006 AML.T0049 AML.T0050 AML.T0081 AML.T0083 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system operation and monitoring A.9.4 - AI system security
NIST AI RMF
GOVERN 6.2 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms for sustaining effectiveness of risk responses
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-41268?

Flowise, the popular drag-and-drop LLM workflow builder, contains a critical unauthenticated remote code execution vulnerability where an attacker can inject NODE_OPTIONS environment variables through a FILE-STORAGE:: parameter override, achieving arbitrary OS command execution as root inside the container — all in a single HTTP request with zero credentials or prior knowledge required. Public PoC code is already available and CISA SSVC rates this ATTEND, meaning active exploitation may follow quickly; with EPSS placing it in the top 28% of likely-exploited vulnerabilities, the window for unpatched instances is narrow. Flowise deployments hold the keys to your entire AI agent ecosystem — stored LLM API keys, agent configurations, tool credentials, and connected data sources are all at risk of full compromise. Upgrade to Flowise 3.1.0 immediately; if patching is not possible, restrict network access to trusted IPs only and monitor HTTP traffic for FILE-STORAGE:: parameter patterns.

Is CVE-2026-41268 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41268, increasing the risk of exploitation.

How to fix CVE-2026-41268?

1. Patch immediately: upgrade to Flowise 3.1.0 — this is the only complete fix. 2. If patching is delayed, place Flowise behind a WAF or reverse proxy restricted to trusted IP ranges; block all unauthenticated external access. 3. Detection: search web server logs for HTTP requests containing 'FILE-STORAGE::' in any parameter value, especially combined with NODE_OPTIONS substrings. 4. Assume breach audit: if any Flowise instance was internet-exposed prior to patching, rotate all stored API keys, database credentials, and any secrets visible in Flowise flow configurations. 5. Review container runtime security — ensure Flowise containers do not run as root post-patch and apply least-privilege container policies. 6. Enumerate all Flowise instances across the organization via asset inventory before assuming coverage.

What systems are affected by CVE-2026-41268?

This vulnerability affects the following AI/ML architecture patterns: LLM agent orchestration platforms, AI workflow automation pipelines, Agent frameworks, No-code/low-code AI builders, Multi-agent systems.

What is the CVSS score for CVE-2026-41268?

CVE-2026-41268 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.39%.

What is the AI security impact?

Affected AI Architectures

LLM agent orchestration platformsAI workflow automation pipelinesAgent frameworksNo-code/low-code AI buildersMulti-agent systems

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.4, A.9.4
NIST AI RMF: GOVERN 6.2, MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker scans the internet for Flowise instances (port 3000/3001 with the Flowise UI fingerprint). Upon discovering an unpatched instance, they craft a single HTTP POST request to a Flowise API endpoint, embedding a FILE-STORAGE:: parameter override that injects a malicious NODE_OPTIONS value pointing to an attacker-controlled script. Node.js processes the request, loads the injected option, and executes the attacker's payload as root. Within seconds, the attacker establishes a reverse shell (AML.T0072), extracts all LLM API keys and tool credentials from the Flowise database and environment, and deploys a persistent backdoor. From there they can silently modify AI agent workflows to exfiltrate all user queries to an attacker-controlled endpoint, effectively poisoning the AI pipeline without disrupting normal operations.

Weaknesses (CWE)

CWE-20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 23, 2026
Last Modified
April 24, 2026
First Seen
April 23, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
Back to Threat Feed