Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Flowise — Vulnerabilities & Security Advisories 46

All 46 CVE vulnerabilities found in Flowise, with AI-generated Chinese analysis, references, and POCs.

Flowise is an open-source platform designed for the development of large language model (LLM) applications, and this page specifically tracks security weaknesses and vulnerabilities associated with its codebase and deployment configurations. The collection aggregates public reports, advisories, and database entries regarding common programming errors, configuration mistakes, and library dependencies that could lead to unauthorized access, data exposure, or service disruption. The records span from the initial release of the project through the most recent updates, ensuring a comprehensive historical perspective on how the product’s security posture has evolved over time. By reviewing this aggregated data, users can track vendor advisories and third-party security notes related to Flowise, gaining insight into how specific issues were reported and resolved. The page allows for a deeper understanding of the weakness classes frequently exploited or identified within this technology stack, helping developers recognize patterns in flawed implementations or insecure defaults. Additionally, users can look up a product’s vulnerability history to assess the overall risk profile of their instance, identifying whether known issues have been patched or if legacy versions remain exposed. This centralized view supports informed decision-making for security audits, compliance checks, and risk mitigation strategies. It serves as a technical reference for security professionals and developers to evaluate the stability and safety of Flowise deployments against known threats without relying on fragmented sources.

Vendor: FlowiseAI

CVE IDTitleCVSSSeverityPublished
CVE-2026-43995 Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure) CWE-918--2026-05-11
CVE-2026-8028 FlowiseAI Flowise Endpoint account.service.ts verify information disclosure CWE-200 3.7 Low2026-05-06
CVE-2026-8027 FlowiseAI Flowise User Controller authorization CWE-639 4.3 Medium2026-05-06
CVE-2026-8026 FlowiseAI Flowise API Response account.service.ts login information disclosure CWE-200 3.7 Low2026-05-06
CVE-2026-41274 Flowise: Cypher Injection in GraphCypherQAChain CWE-943 9.8AICriticalAI2026-04-23
CVE-2026-41264 Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability CWE-184 9.8AICriticalAI2026-04-23
CVE-2026-41265 Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability CWE-77 9.6AICriticalAI2026-04-23
CVE-2026-41279 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials CWE-639 8.2AIHighAI2026-04-23
CVE-2026-41278 Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs CWE-200 7.5AIHighAI2026-04-23
CVE-2026-41276 Flowise: AccountService resetPassword Authentication Bypass Vulnerability CWE-287 7.4AIHighAI2026-04-23
CVE-2026-41277 Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) CWE-284 8.8AIHighAI2026-04-23
CVE-2026-41275 Flowise: Password Reset Link Sent Over Unsecured HTTP CWE-319 6.8AIMediumAI2026-04-23
CVE-2026-41273 Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow CWE-306 7.5AIHighAI2026-04-23
CVE-2026-41271 Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains CWE-918 8.6AIHighAI2026-04-23
CVE-2026-41272 Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) CWE-918 7.1 High2026-04-23
CVE-2026-41270 Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox CWE-284 7.1 High2026-04-23
CVE-2026-41269 Flowise: File Upload Validation Bypass in createAttachment CWE-434 7.1 High2026-04-23
CVE-2026-41268 Flowise: Flowise Parameter Override Bypass Remote Command Execution CWE-20 9.8AICriticalAI2026-04-23
CVE-2026-41267 Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association CWE-639 8.1 High2026-04-23
CVE-2026-41266 Flowise: Sensitive Data Leak in public-chatbotConfig CWE-200 9.1AICriticalAI2026-04-23
CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE CWE-94 8.8AIHighAI2026-04-23
CVE-2026-41138 Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. CWE-94 9.8AICriticalAI2026-04-23
CVE-2026-40933 Flowise: Authenticated RCE Via MCP Adapters CWE-78 10.0 Critical2026-04-21
CVE-2026-31829 Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access CWE-918 7.1 High2026-03-10
CVE-2026-30824 Flowise: Missing Authentication on NVIDIA NIM Endpoints CWE-306 10.0 -2026-03-07
CVE-2026-30823 Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration CWE-639 8.1 -2026-03-07
CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint CWE-915 5.3 -2026-03-07
CVE-2026-30821 Flowise: Arbitrary File Upload via MIME Spoofing CWE-434 9.8 -2026-03-07
CVE-2026-30820 Flowise Authorization Bypass via Spoofed x-request-from Header CWE-863 8.8 -2026-03-07
CVE-2025-34267 Flowise Authenticated Command Execution and Sandbox Bypass via Puppeteer & Playwright Packages CWE-77 9.9AICriticalAI2025-10-14

All 46 known CVE vulnerabilities affecting Flowise with full Chinese analysis, references, and POCs where available.