SB20260415153 - Multiple vulnerabilities in Flowise



SB20260415153 - Multiple vulnerabilities in Flowise

Published: April 15, 2026 Updated: July 1, 2026

Security Bulletin ID SB20260415153
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 21
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 52% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 21 vulnerabilities.


1) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of server-side request targets in Execute Flow base url handling when processing a prediction request. A remote user can provide a crafted intranet address in the base url field to disclose sensitive information.

Exploitation can cause the server to initiate HTTP requests to internal network addresses, including cloud metadata services, and can be used to detect internal network services.


2) Improper access control (CVE-ID: CVE-2026-43995)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access internal network resources and disclose sensitive information.

The vulnerability exists due to improper access control in tool components that directly use node-fetch or axios when processing outbound HTTP requests. A remote user can send a crafted prompt that triggers a vulnerable tool to issue requests to internal or metadata endpoints to access internal network resources and disclose sensitive information.

Only deployments with affected tools enabled are vulnerable.


3) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to write files to arbitrary locations on the server filesystem.

The vulnerability exists due to path traversal in the Faiss and SimpleStore vector store implementations when handling a user-controlled basePath parameter during vector store insertion. A remote user can send a specially crafted request with a malicious basePath value to write files to arbitrary locations on the server filesystem.

Exploitation requires a valid API token with documentStores:upsert-config permission, an existing Document Store with at least one processed chunk, and valid embedding provider credentials.


4) OS Command Injection (CVE-ID: N/A)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in the MCP adapter Custom MCP stdio configuration when processing user-supplied stdio command arguments. A remote user can add a crafted MCP stdio server configuration with an arbitrary command to execute arbitrary commands.

The issue is exposed through the Custom MCP configuration in the canvas interface.


5) Use of hard-coded credentials (CVE-ID: N/A)

CWE-ID: CWE-798 - Use of Hard-coded Credentials

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local privileged user to disclose sensitive information and manipulate token metadata.

The vulnerability exists due to use of hard-coded credentials in tempTokenUtils.ts when deriving the token encryption key from an unset TOKEN_HASH_SECRET environment variable. A local privileged user can use the weak default secret to decrypt and modify encrypted token metadata to disclose sensitive information and manipulate token metadata.

User interaction is required, and the issue is exposed only when TOKEN_HASH_SECRET is not configured.


6) Use of hard-coded credentials (CVE-ID: N/A)

CWE-ID: CWE-798 - Use of Hard-coded Credentials

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local privileged user to disclose sensitive information and modify application state by forging session cookies.

The vulnerability exists due to use of hard-coded credentials in the express-session secret configuration when the EXPRESS_SESSION_SECRET environment variable is not set. A local privileged user can create forged session cookies to disclose sensitive information and modify application state by impersonating arbitrary users.

The issue is exposed only when the application uses the default secret value 'flowise', and user interaction is required.


7) Use of hard-coded cryptographic key (CVE-ID: N/A)

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local privileged user to bypass authentication and impersonate any user.

The vulnerability exists due to use of hard-coded cryptographic keys in JWT secret handling in packages/server/src/enterprise/middleware/passport/index.ts when processing JWT-based authentication. A local privileged user can forge valid JWTs to bypass authentication and impersonate any user.

User interaction is required, and exploitation is possible when JWT environment variables are unset and weak default values are used.


8) Missing Authentication for Critical Function (CVE-ID: N/A)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication for a critical function in the /api/v1/loginmethod endpoint when handling GET requests with an organizationId parameter. A remote attacker can send a specially crafted request to disclose sensitive information.

The response can include OAuth client secrets in cleartext for an organization's configured SSO providers.


9) Missing Authentication for Critical Function (CVE-ID: CVE-2026-41279)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper access control in the POST /api/v1/text-to-speech/generate endpoint when handling unauthenticated text-to-speech generation requests with an attacker-supplied credentialId. A remote attacker can send a specially crafted request referencing stored credentials to cause a denial of service.

The issue is triggered when the request omits a chatflowId, causing the endpoint to use the credentialId supplied in the request body to decrypt stored credentials and invoke the configured provider.


10) Information disclosure (CVE-ID: CVE-2026-41278)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of sensitive information in the GET /api/v1/public-chatflows/:id and public-chatbotConfig endpoints when handling requests for public chatflows. A remote attacker can send a request to a public chatflow endpoint to disclose sensitive information.

Exposed data can include credential IDs, plaintext API keys, password-type fields, node configurations, and endpoint URLs.


11) Code Injection (CVE-ID: CVE-2026-41265)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper sandboxing in the run method of the Airtable_Agents class when evaluating an LLM-generated python script. A remote attacker can send a crafted prompt to cause execution of attacker-controlled code.

Exploitation is possible through prompt injection, including via user-supplied questions or Airtable column names that influence the generated script.


12) Code Injection (CVE-ID: CVE-2026-41264)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper sandboxing in the run method of the CSV_Agents class when evaluating an LLM-generated python script from user-supplied prompts. A remote attacker can send a specially crafted prompt to cause execution of attacker-controlled code.

Exploitation requires a chatflow that uses the CSV Agent node, and successful prompt injection may depend on the model used.


13) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-41277)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to modify or reassign DocumentStore objects across workspaces.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the DocumentStore create endpoint when handling crafted POST requests with client-supplied primary keys and internal state fields. A remote user can send a specially crafted request to modify or reassign DocumentStore objects across workspaces.

Exploitation requires obtaining or enumerating a valid DocumentStore UUID and is relevant in multi-workspace or multi-tenant deployments.


14) Improper Authentication (CVE-ID: CVE-2026-41276)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper authentication in the resetPassword method of the AccountService class when handling password reset requests. A remote attacker can submit a password reset request with a null or empty reset token to bypass authentication.

Exploitation requires knowledge of the target user's email address and is limited to accounts whose reset token expiry check can still be satisfied, such as recently created accounts.


15) Cleartext transmission of sensitive information (CVE-ID: CVE-2026-41275)

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain unauthorized access to a victim's account.

The vulnerability exists due to insecure transmission of password reset links in password reset functionality when sending password reset links over unsecured HTTP. A remote attacker can intercept a password reset link on an untrusted network to gain unauthorized access to a victim's account.

User interaction is required because the victim must use the reset link, and exploitation depends on a man-in-the-middle position on the same network.


16) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-41274)

CWE-ID: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary cypher commands on the underlying Neo4j database.

The vulnerability exists due to improper neutralization of special elements in data query logic in the GraphCypherQAChain run method when handling user-supplied input through the prediction endpoint. A remote user can send a specially crafted request to execute arbitrary cypher commands on the underlying Neo4j database.

Exploitation requires a chatflow that includes the Graph Cypher QA Chain node and is connected to a Neo4j Graph node with valid credentials.


17) Missing Authentication for Critical Function (CVE-ID: CVE-2026-41273)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose OAuth 2.0 access tokens.

The vulnerability exists due to missing authentication for critical functions in the public chatflow configuration and OAuth token refresh endpoints when handling requests for public chatflow data and credential refresh operations. A remote attacker can retrieve a credential identifier from exposed flow data and submit a crafted token refresh request to disclose OAuth 2.0 access tokens.

Exploitation requires a self-hosted deployment with a public chatflow configured to use an OAuth 2.0 credential.


18) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41271)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform server-side request forgery and access internal or external HTTP endpoints.

The vulnerability exists due to server-side request forgery in POST/GET API Chain components when processing attacker-controlled prompt templates and API documentation. A remote user can send a specially crafted prompt to perform server-side request forgery and access internal or external HTTP endpoints.

The issue affects both GET and POST API chains.


19) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41272)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access internal services and modify data via server-side request forgery.

The vulnerability exists due to improper access control in secureAxiosRequest and secureFetch in packages/components/src/httpSecurity.ts when handling outbound requests. A remote user can supply a crafted URL to access internal services and modify data via server-side request forgery.

Exploitation can occur through a DNS rebinding time-of-check time-of-use condition or when the deny list is left unset by default.


20) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41270)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access internal network resources and disclose sensitive information.

The vulnerability exists due to improper access control in the Custom Function sandbox when executing user-supplied JavaScript code that imports built-in Node.js http, https, or net modules. A remote user can submit a specially crafted custom function to access internal network resources and disclose sensitive information.

Only deployments with HTTP_DENY_LIST configured are affected by this protection bypass, and no user interaction is required.


21) Arbitrary file upload (CVE-ID: CVE-2026-41269)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to upload and store malicious javascript files on the server.

The vulnerability exists due to unrestricted upload of file with dangerous type in the createAttachment functionality when updating Chatflow file upload settings and uploading attachments. A remote user can add the application/javascript MIME type and upload a specially crafted .js file to upload and store malicious javascript files on the server.

If the uploaded file is executed, this can lead to remote code execution.


Remediation

Install update from vendor's website.

References