CVE-2026-41275: Flowise HTTP password reset link

CISO Take

Flowise's cloud platform transmitted password reset links over unencrypted HTTP, allowing an attacker on the same network to intercept the token and fully take over the victim's account. For teams using Flowise to orchestrate LLM workflows, account compromise exposes far more than login access — embedded API keys for OpenAI, Anthropic, and other providers, along with proprietary agent configurations and RAG data source connections, are all accessible post-takeover. A public PoC exists and CISA rates this ATTEND; while the raw EPSS score (0.00019) is low, the real-world risk is amplified anywhere users trigger password resets on untrusted networks such as conference halls, hotels, or coworking spaces. Upgrade immediately to Flowise 3.1.0, rotate all API keys stored within flows, and audit login history for unauthorized access.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

CVSS 7.5 (High) reflects full account compromise potential with zero required privileges, though the High attack complexity acknowledges the need for network co-location. The blast radius for AI/ML teams exceeds a typical web account takeover: Flowise flows routinely embed API credentials for downstream LLM providers, meaning a single account compromise can cascade into unauthorized API usage, agent tool abuse, and proprietary prompt logic exfiltration. The 58 other CVEs in the Flowise package indicate a persistent security debt pattern that warrants ongoing scrutiny. Self-hosted Flowise instances are not affected by this specific issue, which is scoped to cloud.flowiseai.com.

How does the attack unfold?

Network Positioning

Attacker connects to the same network as the target and deploys ARP spoofing or passive traffic interception to monitor HTTP communications.

Credential Interception

Victim triggers a password reset on cloud.flowiseai.com; attacker captures the plaintext HTTP reset link containing the one-time authentication token before the victim can use it.

AML.T0055

Account Takeover

Attacker redeems the intercepted reset token to set a new password and gains full administrative control of the victim's Flowise account.

AML.T0012

AI Credential Harvest

Attacker exports all LLM flow configurations from the compromised account, extracting embedded API keys for OpenAI, Anthropic, and other integrated services for further exploitation.

AML.T0083

Network Positioning

Attacker connects to the same network as the target and deploys ARP spoofing or passive traffic interception to monitor HTTP communications.

Credential Interception

Victim triggers a password reset on cloud.flowiseai.com; attacker captures the plaintext HTTP reset link containing the one-time authentication token before the victim can use it.

AML.T0055

Account Takeover

Attacker redeems the intercepted reset token to set a new password and gains full administrative control of the victim's Flowise account.

AML.T0012

AI Credential Harvest

Attacker exports all LLM flow configurations from the compromised account, extracting embedded API keys for OpenAI, Anthropic, and other integrated services for further exploitation.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade to Flowise 3.1.0 which enforces HTTPS for password reset links.
Rotate all API keys stored within Flowise flows (OpenAI, Anthropic, and any other integrated providers) as a precautionary measure regardless of confirmed compromise.
Review Flowise account login history and downstream LLM provider API usage logs for anomalies.
Enforce VPN or corporate network requirements for Flowise access until the upgrade is confirmed deployed.
Enable MFA on Flowise accounts where available to reduce impact of future credential interception.
For self-hosted deployments, verify the reverse proxy (nginx, Caddy, etc.) enforces HTTPS across all endpoints including authentication and password reset flows.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.1 - Security of AI System

NIST AI RMF

MANAGE-2.4 - Risks of AI Systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-41275?

Flowise's cloud platform transmitted password reset links over unencrypted HTTP, allowing an attacker on the same network to intercept the token and fully take over the victim's account. For teams using Flowise to orchestrate LLM workflows, account compromise exposes far more than login access — embedded API keys for OpenAI, Anthropic, and other providers, along with proprietary agent configurations and RAG data source connections, are all accessible post-takeover. A public PoC exists and CISA rates this ATTEND; while the raw EPSS score (0.00019) is low, the real-world risk is amplified anywhere users trigger password resets on untrusted networks such as conference halls, hotels, or coworking spaces. Upgrade immediately to Flowise 3.1.0, rotate all API keys stored within flows, and audit login history for unauthorized access.

Is CVE-2026-41275 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41275, increasing the risk of exploitation.

How to fix CVE-2026-41275?

1. Upgrade to Flowise 3.1.0 which enforces HTTPS for password reset links. 2. Rotate all API keys stored within Flowise flows (OpenAI, Anthropic, and any other integrated providers) as a precautionary measure regardless of confirmed compromise. 3. Review Flowise account login history and downstream LLM provider API usage logs for anomalies. 4. Enforce VPN or corporate network requirements for Flowise access until the upgrade is confirmed deployed. 5. Enable MFA on Flowise accounts where available to reduce impact of future credential interception. 6. For self-hosted deployments, verify the reverse proxy (nginx, Caddy, etc.) enforces HTTPS across all endpoints including authentication and password reset flows.

What systems are affected by CVE-2026-41275?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, RAG pipelines, API key management.

What is the CVSS score for CVE-2026-41275?

CVE-2026-41275 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsRAG pipelinesAPI key management

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.1

NIST AI RMF: MANAGE-2.4

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker at a security conference positions on the same Wi-Fi network as a Flowise user and activates ARP spoofing using readily available tools. The victim, locked out of their cloud.flowiseai.com account, clicks Forgot Password. The platform generates a reset token and emails it; when the victim clicks the email link, the HTTP redirect is captured in plaintext by the attacker before HTTPS negotiation occurs. The attacker redeems the token first, sets a new password, and silently takes over the account. They immediately export all LLM flow configurations — harvesting API keys for multiple LLM providers embedded in production workflows — then restore the original password to avoid detection, leaving the victim unaware.

Weaknesses (CWE)

CWE-319 Cleartext Transmission of Sensitive Information Primary

CWE-319 — Cleartext Transmission of Sensitive Information: The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

[Architecture and Design] Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
[Implementation] When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.

Source: MITRE CWE corpus.