CVE-2026-41278: Flowise credential exposure

CISO Take

Flowise's public chatflow endpoints return the full flow configuration — including plaintext API keys, credential IDs, and password fields — to any unauthenticated requester, because the sanitization function intended to strip secrets was confirmed absent from the released v3.0.13 Docker image. Both /api/v1/public-chatflows/:id and /api/v1/public-chatbotConfig are affected, meaning every publicly-shared chatflow in production is leaking credentials right now. With a public PoC already available and EPSS placing this in the top 88th percentile for exploitation likelihood, unskilled attackers will exploit this at scale; 58 prior CVEs in Flowise further signal a pattern of systemic security debt. Upgrade to Flowise 3.1.0 immediately, rotate every API key and password stored in any Flowise flow, and audit GET request logs to those endpoints since the first deployment of any pre-3.1.0 version.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

HIGH. The vulnerability is trivially exploitable: unauthenticated, network-accessible, zero complexity, and a PoC is publicly available. CVSS confidentiality impact is HIGH because the exposed secrets — LLM provider API keys, database passwords, third-party service tokens — can enable lateral movement well beyond the Flowise instance itself. The confirmed absence of the sanitization function in the released Docker image means exposure is not theoretical; it affects every organization running Flowise with publicly-shared chatflows. The 58 historical CVEs in this package indicate chronic security hygiene issues rather than an isolated incident.

How does the attack unfold?

Reconnaissance

Attacker identifies a publicly accessible Flowise instance via internet scanning tools or by finding chatbot widget embed codes that reference the Flowise host and expose public chatflow IDs.

AML.T0006

Initial Access

Attacker sends an unauthenticated GET request to /api/v1/public-chatflows/:id or /api/v1/public-chatbotConfig, exploiting the absent sanitization function to receive the complete raw flowData JSON.

AML.T0049

Credential Harvesting

Attacker extracts plaintext API keys, credential IDs, and password fields from the returned flowData, including LLM provider keys and database connection strings embedded in flow nodes.

AML.T0083

Impact

Harvested credentials are used to access connected LLM APIs at the victim's expense, query linked databases for sensitive data, or pivot to other cloud services using the stolen tokens.

AML.T0091.000

Reconnaissance

Attacker identifies a publicly accessible Flowise instance via internet scanning tools or by finding chatbot widget embed codes that reference the Flowise host and expose public chatflow IDs.

AML.T0006

Initial Access

Attacker sends an unauthenticated GET request to /api/v1/public-chatflows/:id or /api/v1/public-chatbotConfig, exploiting the absent sanitization function to receive the complete raw flowData JSON.

AML.T0049

Credential Harvesting

Attacker extracts plaintext API keys, credential IDs, and password fields from the returned flowData, including LLM provider keys and database connection strings embedded in flow nodes.

AML.T0083

Impact

Harvested credentials are used to access connected LLM APIs at the victim's expense, query linked databases for sensitive data, or pivot to other cloud services using the stolen tokens.

AML.T0091.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 33% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Patch immediately: upgrade to Flowise 3.1.0, which introduces the missing sanitizeFlowDataForPublicEndpoint function.
Rotate all credentials: assume every API key and password stored in any public chatflow has been compromised — rotate immediately without waiting for exploitation confirmation.
Emergency workaround: if 3.1.0 cannot be deployed immediately, disable public chatflow sharing at the application level or block /api/v1/public-chatflows and /api/v1/public-chatbotConfig at the WAF/reverse proxy layer.
Audit access logs: search for GET requests to public-chatflows and public-chatbotConfig endpoints from external IPs since the earliest pre-3.1.0 deployment date.
Scope assessment: enumerate all public chatflows via the Flowise admin interface to identify which credentials and integrations were in scope for exposure.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Agent Framework AML.T0002.002 - AI Agent Configuration AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-41278?

Flowise's public chatflow endpoints return the full flow configuration — including plaintext API keys, credential IDs, and password fields — to any unauthenticated requester, because the sanitization function intended to strip secrets was confirmed absent from the released v3.0.13 Docker image. Both /api/v1/public-chatflows/:id and /api/v1/public-chatbotConfig are affected, meaning every publicly-shared chatflow in production is leaking credentials right now. With a public PoC already available and EPSS placing this in the top 88th percentile for exploitation likelihood, unskilled attackers will exploit this at scale; 58 prior CVEs in Flowise further signal a pattern of systemic security debt. Upgrade to Flowise 3.1.0 immediately, rotate every API key and password stored in any Flowise flow, and audit GET request logs to those endpoints since the first deployment of any pre-3.1.0 version.

Is CVE-2026-41278 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41278, increasing the risk of exploitation.

How to fix CVE-2026-41278?

1. Patch immediately: upgrade to Flowise 3.1.0, which introduces the missing sanitizeFlowDataForPublicEndpoint function. 2. Rotate all credentials: assume every API key and password stored in any public chatflow has been compromised — rotate immediately without waiting for exploitation confirmation. 3. Emergency workaround: if 3.1.0 cannot be deployed immediately, disable public chatflow sharing at the application level or block /api/v1/public-chatflows and /api/v1/public-chatbotConfig at the WAF/reverse proxy layer. 4. Audit access logs: search for GET requests to public-chatflows and public-chatbotConfig endpoints from external IPs since the earliest pre-3.1.0 deployment date. 5. Scope assessment: enumerate all public chatflows via the Flowise admin interface to identify which credentials and integrations were in scope for exposure.

What systems are affected by CVE-2026-41278?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, no-code AI builders, customer-facing AI chatbots.

What is the CVSS score for CVE-2026-41278?

CVE-2026-41278 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.42%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsno-code AI builderscustomer-facing AI chatbots

MITRE ATLAS Techniques

AML.T0002.002 AI Agent Configuration

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker identifies a Flowise instance via Shodan, Censys, or by discovering a chatbot widget embed code that references the Flowise host. They enumerate public chatflow IDs either by brute-forcing UUIDs or extracting them from frontend JavaScript. A single unauthenticated GET to /api/v1/public-chatflows/{id} returns the complete flow JSON including a plaintext OpenAI API key, a Pinecone API key, and a PostgreSQL connection string embedded in flow nodes. The attacker immediately begins generating LLM completions with the stolen OpenAI key to exhaust the victim's quota, while using the database credentials to access the connected vector store and extract proprietary document embeddings used to power the chatbot.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.