Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

FlowiseAI — Vulnerabilities & Security Advisories 46

Browse all 46 CVE security advisories affecting FlowiseAI. AI-powered Chinese analysis, POCs, and references for each vulnerability.

FlowiseAI is an open-source platform designed to simplify the development of custom Large Language Model applications by enabling users to construct complex AI workflows through a visual drag-and-drop interface. This accessibility, however, has correlated with a significant security footprint, currently encompassing 43 recorded Common Vulnerabilities and Exposures. Historical analysis reveals that these flaws predominantly stem from insufficient input validation and improper access controls, leading to frequent instances of Remote Code Execution and Cross-Site Scripting. Additionally, several incidents highlight critical privilege escalation risks where authenticated users could bypass intended restrictions to access sensitive system resources. The platform’s modular architecture often introduces supply chain dependencies that further expand the attack surface. While the tool facilitates rapid AI integration, its security posture remains a concern for enterprises, necessitating rigorous patch management and strict network segmentation to mitigate the potential for exploitation in production environments.

Top products by FlowiseAI: Flowise FlowiseChatEmbed
CVE IDTitleCVSSSeverityPublished
CVE-2026-8028 FlowiseAI Flowise Endpoint account.service.ts verify information disclosure — FlowiseCWE-200 3.7 Low2026-05-06
CVE-2026-8027 FlowiseAI Flowise User Controller authorization — FlowiseCWE-639 4.3 Medium2026-05-06
CVE-2026-8026 FlowiseAI Flowise API Response account.service.ts login information disclosure — FlowiseCWE-200 3.7 Low2026-05-06
CVE-2026-41274 Flowise: Cypher Injection in GraphCypherQAChain — FlowiseCWE-943 9.8AICriticalAI2026-04-23
CVE-2026-41264 Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability — FlowiseCWE-184 9.8AICriticalAI2026-04-23
CVE-2026-41265 Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability — FlowiseCWE-77 9.6AICriticalAI2026-04-23
CVE-2026-41279 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials — FlowiseCWE-639 8.2AIHighAI2026-04-23
CVE-2026-41278 Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs — FlowiseCWE-200 7.5AIHighAI2026-04-23
CVE-2026-41276 Flowise: AccountService resetPassword Authentication Bypass Vulnerability — FlowiseCWE-287 7.4AIHighAI2026-04-23
CVE-2026-41277 Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) — FlowiseCWE-284 8.8AIHighAI2026-04-23
CVE-2026-41275 Flowise: Password Reset Link Sent Over Unsecured HTTP — FlowiseCWE-319 6.8AIMediumAI2026-04-23
CVE-2026-41273 Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow — FlowiseCWE-306 7.5AIHighAI2026-04-23
CVE-2026-41271 Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains — FlowiseCWE-918 8.6AIHighAI2026-04-23
CVE-2026-41272 Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) — FlowiseCWE-918 7.1 High2026-04-23
CVE-2026-41270 Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox — FlowiseCWE-284 7.1 High2026-04-23
CVE-2026-41269 Flowise: File Upload Validation Bypass in createAttachment — FlowiseCWE-434 7.1 High2026-04-23
CVE-2026-41268 Flowise: Flowise Parameter Override Bypass Remote Command Execution — FlowiseCWE-20 9.8AICriticalAI2026-04-23
CVE-2026-41267 Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association — FlowiseCWE-639 8.1 High2026-04-23
CVE-2026-41266 Flowise: Sensitive Data Leak in public-chatbotConfig — FlowiseCWE-200 9.1AICriticalAI2026-04-23
CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE — FlowiseCWE-94 8.8AIHighAI2026-04-23
CVE-2026-41138 Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. — FlowiseCWE-94 9.8AICriticalAI2026-04-23
CVE-2026-40933 Flowise: Authenticated RCE Via MCP Adapters — FlowiseCWE-78 10.0 Critical2026-04-21
CVE-2026-31829 Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access — FlowiseCWE-918 7.1 High2026-03-10
CVE-2026-30824 Flowise: Missing Authentication on NVIDIA NIM Endpoints — FlowiseCWE-306 10.0 -2026-03-07
CVE-2026-30823 Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration — FlowiseCWE-639 8.1 -2026-03-07
CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint — FlowiseCWE-915 5.3 -2026-03-07
CVE-2026-30821 Flowise: Arbitrary File Upload via MIME Spoofing — FlowiseCWE-434 9.8 -2026-03-07
CVE-2026-30820 Flowise Authorization Bypass via Spoofed x-request-from Header — FlowiseCWE-863 8.8 -2026-03-07
CVE-2025-34267 Flowise Authenticated Command Execution and Sandbox Bypass via Puppeteer & Playwright Packages — FlowiseCWE-77 9.9AICriticalAI2025-10-14
CVE-2025-61913 Flowise is vulnerable to arbitrary file read, arbitrary file write — FlowiseCWE-22 10.0 Critical2025-10-08

This page lists every published CVE security advisory associated with FlowiseAI. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.