AI Threat Alert

CVE-2026-41279: Flowise: unauth API key abuse via TTS endpoint IDOR

HIGH PoC AVAILABLE
Published April 23, 2026
CISO Take

Flowise's text-to-speech endpoint is whitelisted without authentication and blindly trusts a caller-supplied credentialId to decrypt and invoke stored AI provider keys (OpenAI, ElevenLabs) — any unauthenticated party on the internet can trigger this with zero privileges. A public PoC already exists and EPSS places this in the top 83rd percentile for exploitation likelihood, meaning active abuse is plausible right now. The blast radius is financial and operational: attackers can silently drain AI API credits, exhaust provider rate limits, and disrupt production AI workflows without leaving any trace in Flowise auth logs since no login ever occurs. Upgrade to Flowise 3.1.0 immediately, rotate every stored third-party API credential as a precaution, and if patching is blocked, firewall POST /api/v1/text-to-speech/generate at the edge.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

High. Network-accessible with no authentication, no user interaction, and low attack complexity — combined with a public PoC and EPSS top-83rd-percentile ranking, this is effectively trivial for any attacker who can reach a Flowise instance. Flowise carries 58 prior CVEs in the same package, signaling systemic security debt rather than an isolated miss. Organizations running internet-facing Flowise deployments with stored AI provider credentials face immediate financial drain and potential service disruption with no authentication barrier in the way.

How does the attack unfold?

Initial Access
Adversary identifies a publicly accessible Flowise instance via internet scanning and confirms it is running a pre-3.1.0 version through UI or API version disclosure.
AML.T0049
Credential ID Enumeration
Adversary iterates through credentialId values via the unauthenticated TTS endpoint using IDOR techniques, confirming which IDs map to valid stored AI provider credentials.
AML.T0055
Exploitation
Adversary calls POST /api/v1/text-to-speech/generate with a valid credentialId, causing the server to server-side decrypt and use stored API keys (OpenAI, ElevenLabs) with no authentication event logged.
AML.T0083
Impact
Adversary sends bulk automated TTS requests, draining victim AI API credits, exhausting provider rate limits, and disrupting legitimate AI-dependent services at the victim's financial cost.
AML.T0034

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Upgrade to Flowise 3.1.0 immediately — the patch adds authentication to the TTS endpoint.

  2. Rotate all stored third-party API credentials (OpenAI, ElevenLabs, etc.) in Flowise as a precaution, even post-patch, since there is no way to audit whether keys were abused prior to patching.

  3. If immediate upgrade is blocked, restrict external access to POST /api/v1/text-to-speech/generate at your WAF or reverse proxy — allow only trusted internal IPs.

  4. Enable spend alerts and usage anomaly notifications at your AI providers (OpenAI dashboard, ElevenLabs billing) to detect unauthorized TTS consumption.

  5. Review Flowise audit logs for unexpected credentialId references and cross-reference with provider API call timestamps.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass DoS Data Extraction Agent API Framework AML.T0034 AML.T0034.000 AML.T0049 AML.T0055 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.7 - AI system design and development Clause 6.1 - Actions to address risks and opportunities
NIST AI RMF
GOVERN 1.1 - Policies and procedures for AI risk management MANAGE 2.2 - Risk treatment mechanisms for AI systems
OWASP LLM Top 10
LLM06:2025 - Excessive Agency LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-41279?

Flowise's text-to-speech endpoint is whitelisted without authentication and blindly trusts a caller-supplied credentialId to decrypt and invoke stored AI provider keys (OpenAI, ElevenLabs) — any unauthenticated party on the internet can trigger this with zero privileges. A public PoC already exists and EPSS places this in the top 83rd percentile for exploitation likelihood, meaning active abuse is plausible right now. The blast radius is financial and operational: attackers can silently drain AI API credits, exhaust provider rate limits, and disrupt production AI workflows without leaving any trace in Flowise auth logs since no login ever occurs. Upgrade to Flowise 3.1.0 immediately, rotate every stored third-party API credential as a precaution, and if patching is blocked, firewall POST /api/v1/text-to-speech/generate at the edge.

Is CVE-2026-41279 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41279, increasing the risk of exploitation.

How to fix CVE-2026-41279?

1. Upgrade to Flowise 3.1.0 immediately — the patch adds authentication to the TTS endpoint. 2. Rotate all stored third-party API credentials (OpenAI, ElevenLabs, etc.) in Flowise as a precaution, even post-patch, since there is no way to audit whether keys were abused prior to patching. 3. If immediate upgrade is blocked, restrict external access to POST /api/v1/text-to-speech/generate at your WAF or reverse proxy — allow only trusted internal IPs. 4. Enable spend alerts and usage anomaly notifications at your AI providers (OpenAI dashboard, ElevenLabs billing) to detect unauthorized TTS consumption. 5. Review Flowise audit logs for unexpected credentialId references and cross-reference with provider API call timestamps.

What systems are affected by CVE-2026-41279?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration, No-code/low-code LLM builders, Multi-tenant AI platforms.

What is the CVSS score for CVE-2026-41279?

CVE-2026-41279 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.26%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM workflow orchestrationNo-code/low-code LLM buildersMulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting
AML.T0034.000 Excessive Queries
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.7, Clause 6.1
NIST AI RMF: GOVERN 1.1, MANAGE 2.2
OWASP LLM Top 10: LLM06:2025, LLM10:2025

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An adversary scans the internet for publicly accessible Flowise instances — version disclosure is often available via UI headers or API responses. With the target confirmed as pre-3.1.0, they call POST /api/v1/text-to-speech/generate without any session token, iterating through credentialId values (sequential integers or UUIDs enumerable via IDOR). Each successful hit causes the Flowise server to decrypt and use the stored API key server-side to generate TTS output. The adversary automates bulk requests to exhaust OpenAI or ElevenLabs credits, potentially reselling TTS capacity or simply destroying availability of AI features for legitimate users — all while leaving zero footprint in authentication logs since no login ever occurred.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
April 23, 2026
Last Modified
April 24, 2026
First Seen
April 23, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2026-46442 9.9

Flowise: sandbox escape enables authenticated RCE

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2026-56274 9.9

Flowise: RCE via MCP server command validation bypass

Same package: flowise
Back to Threat Feed