AI Threat Alert

CVE-2026-41274: Flowise: Cypher injection via GraphCypherQAChain node

CRITICAL CISA: ATTEND
Published April 23, 2026
CISO Take

Flowise's GraphCypherQAChain node passes user-controlled input directly into Neo4j Cypher query execution without sanitization, giving any user capable of interacting with an exposed flow the ability to run arbitrary database commands — read, modify, or delete the entire knowledge graph. This is particularly damaging in AI agent deployments where Neo4j serves as the reasoning backbone, storing proprietary ontologies, document relationships, or sensitive business data that feeds LLM context. Although no public exploit exists today, EPSS places this in the top 73% of CVEs by exploitation likelihood and CISA SSVC recommends ATTEND — meaning your team should schedule remediation this sprint, not next quarter. Upgrade to Flowise 3.1.0; if patching is blocked, disable the GraphCypherQAChain node and enforce read-only Neo4j credentials for all Flowise service accounts as an interim control.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

HIGH for organizations running Flowise with Neo4j knowledge graph backends. The vulnerability requires no special privileges beyond accessing the Flowise UI or API — which is frequently exposed to end users or external networks in production deployments. The CWE-943 class (query language injection) is well understood and exploitation is trivial once an attacker identifies a flow using GraphCypherQAChain. The blast radius extends to the full Neo4j database, not just the data visible in the flow, making data exfiltration and destruction both credible outcomes. No patch or compensating control at the database level fully mitigates this without restricting Flowise's database credentials.

How does the attack unfold?

Initial Access
Attacker identifies a publicly accessible or network-exposed Flowise instance containing a flow built with the GraphCypherQAChain node.
AML.T0049
Injection
Attacker submits crafted input containing Cypher query commands through the Flowise chat interface or API, bypassing the absent input validation layer.
AML.T0053
Execution
Flowise forwards the unsanitized input directly to Neo4j's Cypher execution engine, which treats the injected commands as legitimate database queries and executes them with the Flowise service account's privileges.
AML.T0049
Impact
Attacker exfiltrates the full Neo4j knowledge graph (including proprietary data and embedded credentials), modifies graph relationships to corrupt AI agent reasoning, or executes destructive statements to delete the knowledge base.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade Flowise to 3.1.0 which introduces input sanitization in the GraphCypherQAChain node.

  2. CREDENTIAL HARDENING

    If patching is delayed, configure Neo4j credentials used by Flowise with the minimum required role — ideally read-only (reader role) to prevent write/delete operations.

  3. NODE DISABLE

    Remove or disable GraphCypherQAChain nodes from all active flows until patched.

  4. NETWORK ISOLATION

    Restrict Flowise API/UI access to authenticated internal users; do not expose Flowise instances directly to the internet.

  5. DETECTION

    Enable Neo4j query logging and alert on anomalous Cypher patterns such as MATCH (n) DETACH DELETE, CALL db., or queries returning large node sets outside of expected business patterns.

  6. AUDIT

    Review Neo4j access logs for historical exploitation attempts by looking for malformed or unusually complex Cypher queries from Flowise service account.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Agent Framework AML.T0049 AML.T0053 AML.T0085.001 AML.T0086 AML.T0101

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - Data governance for AI systems A.6.2.5 - AI system security testing
NIST AI RMF
MANAGE 2.2 - AI risk response mechanisms MAP 5.2 - AI system safety and security risk prioritization
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-41274?

Flowise's GraphCypherQAChain node passes user-controlled input directly into Neo4j Cypher query execution without sanitization, giving any user capable of interacting with an exposed flow the ability to run arbitrary database commands — read, modify, or delete the entire knowledge graph. This is particularly damaging in AI agent deployments where Neo4j serves as the reasoning backbone, storing proprietary ontologies, document relationships, or sensitive business data that feeds LLM context. Although no public exploit exists today, EPSS places this in the top 73% of CVEs by exploitation likelihood and CISA SSVC recommends ATTEND — meaning your team should schedule remediation this sprint, not next quarter. Upgrade to Flowise 3.1.0; if patching is blocked, disable the GraphCypherQAChain node and enforce read-only Neo4j credentials for all Flowise service accounts as an interim control.

Is CVE-2026-41274 actively exploited?

No confirmed active exploitation of CVE-2026-41274 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-41274?

1. PATCH: Upgrade Flowise to 3.1.0 which introduces input sanitization in the GraphCypherQAChain node. 2. CREDENTIAL HARDENING: If patching is delayed, configure Neo4j credentials used by Flowise with the minimum required role — ideally read-only (`reader` role) to prevent write/delete operations. 3. NODE DISABLE: Remove or disable GraphCypherQAChain nodes from all active flows until patched. 4. NETWORK ISOLATION: Restrict Flowise API/UI access to authenticated internal users; do not expose Flowise instances directly to the internet. 5. DETECTION: Enable Neo4j query logging and alert on anomalous Cypher patterns such as `MATCH (n) DETACH DELETE`, `CALL db.`, or queries returning large node sets outside of expected business patterns. 6. AUDIT: Review Neo4j access logs for historical exploitation attempts by looking for malformed or unusually complex Cypher queries from Flowise service account.

What systems are affected by CVE-2026-41274?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Knowledge graph pipelines, Graph RAG pipelines, LLM orchestration platforms, AI-powered Q&A systems.

What is the CVSS score for CVE-2026-41274?

CVE-2026-41274 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksKnowledge graph pipelinesGraph RAG pipelinesLLM orchestration platformsAI-powered Q&A systems

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0085.001 AI Agent Tools
AML.T0086 Exfiltration via AI Agent Tool Invocation
AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.4, A.6.2.5
NIST AI RMF: MANAGE 2.2, MAP 5.2
OWASP LLM Top 10: LLM02:2025, LLM06:2025

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker discovers a publicly accessible Flowise instance (common in internal tools and demo environments) containing a knowledge graph Q&A flow built on GraphCypherQAChain and Neo4j. They submit a query like 'What products do you offer? MATCH (n) RETURN n LIMIT 1000' through the chat interface, and the unsanitized input reaches the Cypher execution pipeline. The Neo4j database returns the full node inventory, revealing proprietary product data, internal user identities, or document relationship graphs. The attacker then escalates by injecting 'MATCH (u:User) RETURN u.email, u.password' to harvest credentials stored in the graph, or executes 'MATCH (n) DETACH DELETE n' to wipe the knowledge base, causing the AI agent to fail entirely. Because Flowise flows are often shared across teams without authentication, this attack may require zero credentials.

Weaknesses (CWE)

CWE-943 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 23, 2026
Last Modified
May 4, 2026
First Seen
April 23, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
Back to Threat Feed