CVE-2026-41276: Flowise auth bypass enables full

CISO Take

A critical authentication bypass (CVSS 9.8) in Flowise's password reset API allows any unauthenticated attacker to take over any user account using only a known email address — no reset token required, because the server never validates one was issued. Flowise instances function as the control plane for LLM agent workflows, typically holding embedded LLM API keys, agent system prompts, RAG configurations, and access to connected data sources, making a successful account takeover equivalent to a full compromise of your AI infrastructure. A public PoC already exists and CISA SSVC rates this ATTEND, and while EPSS sits at 0.22%, the trivial exploitation path — a single HTTP POST with a null token — means any threat actor with a target email address can exploit this in seconds. Patch to Flowise 3.1.0 immediately; if patching is not possible, block POST requests to /api/v1/account/reset-password at the WAF layer and audit logs for anomalous reset activity, then rotate all LLM API keys stored in flows as a precaution.

Sources: NVD GitHub Advisory EPSS ATLAS CISA KEV

What is the risk?

Critical risk across all five CVSS base metrics: network-accessible, low complexity, no privileges required, no user interaction, and full confidentiality/integrity/availability impact. The vulnerability is trivially exploitable — an attacker needs only a target's email address and can submit a single crafted HTTP request. A public PoC lowers the bar to script-kiddie level. Flowise deployments in enterprise AI stacks typically hold credentials for multiple LLM providers and integrate with internal data systems, dramatically expanding the blast radius beyond the application itself. The 58 prior CVEs in this package signal a pattern of security debt that elevates organizational risk for teams running any unpatched Flowise version.

How does the attack unfold?

Reconnaissance

Attacker discovers a publicly accessible Flowise instance via Shodan or OSINT and identifies target account email addresses through login error messages, public documentation, or social media.

AML.T0095

Authentication Bypass

Attacker sends a POST request to /api/v1/account/reset-password with the target's email and a null or empty string token value, exploiting the missing token validation to set an attacker-controlled password.

AML.T0049

Account Takeover

Attacker authenticates with the newly set password, gaining full administrative access to the Flowise instance and all configured AI workflows, users, and integrations.

AML.T0012

Credential & Config Exfiltration

Attacker extracts embedded LLM API keys, agent system prompts, RAG configurations, tool credentials, and connected service access tokens from flow definitions, and optionally backdoors agent configurations for persistent access.

AML.T0083

Reconnaissance

Attacker discovers a publicly accessible Flowise instance via Shodan or OSINT and identifies target account email addresses through login error messages, public documentation, or social media.

AML.T0095

Authentication Bypass

Attacker sends a POST request to /api/v1/account/reset-password with the target's email and a null or empty string token value, exploiting the missing token validation to set an attacker-controlled password.

AML.T0049

Account Takeover

Attacker authenticates with the newly set password, gaining full administrative access to the Flowise instance and all configured AI workflows, users, and integrations.

AML.T0012

Credential & Config Exfiltration

Attacker extracts embedded LLM API keys, agent system prompts, RAG configurations, tool credentials, and connected service access tokens from flow definitions, and optionally backdoors agent configurations for persistent access.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 73% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Patch immediately: upgrade to Flowise 3.1.0, which validates that a reset token was generated before accepting it.
If patching is not immediately possible, block or rate-limit POST /api/v1/account/reset-password at the reverse proxy or WAF layer as an emergency workaround.
Audit application logs retroactively for POST requests to /api/v1/account/reset-password where the token field is null or empty, going back to at least the CVE publication date of 2026-04-23.
Rotate all LLM provider API keys (OpenAI, Anthropic, etc.) stored in Flowise flows and credentials if any exposure window existed.
Reset passwords for all admin and privileged accounts and review active sessions for anomalies.
Restrict network access to Flowise management interfaces to trusted IP ranges via firewall rules.
Enable MFA on all Flowise accounts if the version supports it.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Code Execution Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2.5 - Authentication and Access Control for AI Systems

NIST AI RMF

GOVERN-6.2 - Policies and Procedures Addressing AI Cybersecurity

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-41276?

A critical authentication bypass (CVSS 9.8) in Flowise's password reset API allows any unauthenticated attacker to take over any user account using only a known email address — no reset token required, because the server never validates one was issued. Flowise instances function as the control plane for LLM agent workflows, typically holding embedded LLM API keys, agent system prompts, RAG configurations, and access to connected data sources, making a successful account takeover equivalent to a full compromise of your AI infrastructure. A public PoC already exists and CISA SSVC rates this ATTEND, and while EPSS sits at 0.22%, the trivial exploitation path — a single HTTP POST with a null token — means any threat actor with a target email address can exploit this in seconds. Patch to Flowise 3.1.0 immediately; if patching is not possible, block POST requests to /api/v1/account/reset-password at the WAF layer and audit logs for anomalous reset activity, then rotate all LLM API keys stored in flows as a precaution.

Is CVE-2026-41276 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41276, increasing the risk of exploitation.

How to fix CVE-2026-41276?

1. Patch immediately: upgrade to Flowise 3.1.0, which validates that a reset token was generated before accepting it. 2. If patching is not immediately possible, block or rate-limit POST /api/v1/account/reset-password at the reverse proxy or WAF layer as an emergency workaround. 3. Audit application logs retroactively for POST requests to /api/v1/account/reset-password where the token field is null or empty, going back to at least the CVE publication date of 2026-04-23. 4. Rotate all LLM provider API keys (OpenAI, Anthropic, etc.) stored in Flowise flows and credentials if any exposure window existed. 5. Reset passwords for all admin and privileged accounts and review active sessions for anomalies. 6. Restrict network access to Flowise management interfaces to trusted IP ranges via firewall rules. 7. Enable MFA on all Flowise accounts if the version supports it.

What systems are affected by CVE-2026-41276?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation, RAG pipelines.

What is the CVSS score for CVE-2026-41276?

CVE-2026-41276 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.73%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsAI workflow automationRAG pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.5

NIST AI RMF: GOVERN-6.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the "/api/v1/account/reset-password" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An adversary targeting an organization's AI infrastructure uses Shodan or similar OSINT to identify publicly accessible Flowise instances. They enumerate admin email addresses through the application's login error messages, public documentation, or LinkedIn profiles. The attacker sends a single POST request to /api/v1/account/reset-password containing the target email address and a null or empty string as the reset token, along with a new attacker-controlled password. Because the AccountService.resetPassword() method never checks whether a token was issued for the account — defaulting to null for new accounts and empty string for previously reset ones — the request succeeds. The attacker immediately authenticates with admin privileges, extracts all embedded LLM API keys from flow definitions, injects malicious instructions into agent system prompts to create persistent backdoors for ongoing access, and queries connected RAG databases or downstream tool endpoints to exfiltrate sensitive business data.