AI Threat Alert
CVE-2026-41273: Flowise: auth bypass exposes OAuth 2.0 tokens
HIGH PoC AVAILABLE CISA: TRACK*Flowise, the popular drag-and-drop LLM workflow builder, contains an authentication bypass (CWE-306) in versions prior to 3.1.0 that lets any unauthenticated attacker retrieve OAuth 2.0 access tokens for every third-party service integrated into your AI workflows. The attack requires zero privileges, no user interaction, is remotely exploitable, and a public proof-of-concept already exists — meaning the exploit bar is at script-kiddie level today. With an EPSS score in the 78th percentile and CISA's SSVC flagging this as TRACK_STAR, this cannot be deprioritized even in the absence of KEV listing. Blast radius extends well beyond Flowise itself: stolen OAuth tokens can grant authenticated access to Google Workspace, GitHub, Slack, databases, or any other service the AI workflow was authorized to use. Patch immediately to Flowise 3.1.0 and rotate all OAuth credentials connected to any pre-patch deployment.
What is the risk?
HIGH. The CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) score reflects worst-case network accessibility with no barriers to exploitation. Public PoC code removes the skill threshold entirely. The cascading OAuth token theft has a blast radius that extends into every downstream service integrated with Flowise workflows — the initial vulnerability is a 8.2, but the downstream impact on connected enterprise systems could be far higher. Flowise has accumulated 59 prior CVEs, indicating persistent security debt and suggesting this package warrants elevated scrutiny as part of any AI supply chain review. Organizations that have not restricted Flowise configuration endpoints at the network perimeter should treat this as an active threat.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | — | No patch |
Do you use Flowise? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade Flowise to 3.1.0 immediately — this is the only complete fix.
-
WORKAROUND (if patching is blocked): Restrict access to chatflow configuration endpoints (/api/v1/public-chatflows/* and related config routes) via WAF rules, reverse proxy ACLs, or firewall at the network perimeter.
-
ROTATE CREDENTIALS
Assume all OAuth credentials connected to any pre-patch Flowise instance are compromised. Revoke and reissue all OAuth tokens for connected integrations regardless of whether exploitation is confirmed.
-
AUDIT
Review OAuth grant and access logs in connected platforms (Google Workspace, GitHub, Slack, etc.) for anomalous access in the past 30 days.
-
INVENTORY
Enumerate all Flowise instances in the environment including developer sandboxes and shadow IT deployments.
-
DETECT
Alert on unauthenticated GET requests to Flowise chatflow configuration endpoints in web/application logs.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-41273?
Flowise, the popular drag-and-drop LLM workflow builder, contains an authentication bypass (CWE-306) in versions prior to 3.1.0 that lets any unauthenticated attacker retrieve OAuth 2.0 access tokens for every third-party service integrated into your AI workflows. The attack requires zero privileges, no user interaction, is remotely exploitable, and a public proof-of-concept already exists — meaning the exploit bar is at script-kiddie level today. With an EPSS score in the 78th percentile and CISA's SSVC flagging this as TRACK_STAR, this cannot be deprioritized even in the absence of KEV listing. Blast radius extends well beyond Flowise itself: stolen OAuth tokens can grant authenticated access to Google Workspace, GitHub, Slack, databases, or any other service the AI workflow was authorized to use. Patch immediately to Flowise 3.1.0 and rotate all OAuth credentials connected to any pre-patch deployment.
Is CVE-2026-41273 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-41273, increasing the risk of exploitation.
How to fix CVE-2026-41273?
1. PATCH: Upgrade Flowise to 3.1.0 immediately — this is the only complete fix. 2. WORKAROUND (if patching is blocked): Restrict access to chatflow configuration endpoints (/api/v1/public-chatflows/* and related config routes) via WAF rules, reverse proxy ACLs, or firewall at the network perimeter. 3. ROTATE CREDENTIALS: Assume all OAuth credentials connected to any pre-patch Flowise instance are compromised. Revoke and reissue all OAuth tokens for connected integrations regardless of whether exploitation is confirmed. 4. AUDIT: Review OAuth grant and access logs in connected platforms (Google Workspace, GitHub, Slack, etc.) for anomalous access in the past 30 days. 5. INVENTORY: Enumerate all Flowise instances in the environment including developer sandboxes and shadow IT deployments. 6. DETECT: Alert on unauthenticated GET requests to Flowise chatflow configuration endpoints in web/application logs.
What systems are affected by CVE-2026-41273?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, OAuth-integrated AI pipelines, enterprise AI orchestration, RAG pipelines with external data connectors.
What is the CVSS score for CVE-2026-41273?
CVE-2026-41273 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.31%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0083 Credentials from AI Agent Configuration AML.T0084 Discover AI Agent Configuration AML.T0091.000 Application Access Token AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.
Exploitation Scenario
An attacker scans internet-facing hosts for Flowise instances using Shodan or Censys queries targeting Flowise's distinctive UI fingerprint. They identify a target running a pre-3.1.0 version with public chatflows enabled. With a single unauthenticated HTTP GET to /api/v1/public-chatflows/{chatflow_id}, the attacker receives the full workflow configuration JSON, which includes OAuth credential identifiers for connected integrations — for example, a Google Drive connector used to feed documents into a RAG pipeline. The attacker passes these credential identifiers to the OAuth token refresh endpoint, obtaining a valid access token for the victim's Google Workspace account. From there, they exfiltrate documents from Google Drive, pivot to connected services using the same OAuth grant, and establish persistence by using the long-lived refresh token — all without ever authenticating to Flowise itself.
Weaknesses (CWE)
CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-56274 9.9 Flowise: RCE via MCP server command validation bypass
Same package: flowise