Improper Authentication in Flowise - CVE-2026-41276
Published: April 20, 2026
Vulnerability identifier: #VU126600
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41276
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication in the resetPassword method of the AccountService class when handling password reset requests. A remote attacker can submit a password reset request with a null or empty reset token to bypass authentication.
Exploitation requires knowledge of the target user's email address and is limited to accounts whose reset token expiry check can still be satisfied, such as recently created accounts.
How to mitigate CVE-2026-41276
Install security update from vendor's website.