Main Vulnerability Database Vulnerabilities #VU126604

Missing Authentication for Critical Function in Flowise - CVE-2026-41273

Published: April 20, 2026

Vulnerability identifier: #VU126604

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-41273

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose OAuth 2.0 access tokens.

The vulnerability exists due to missing authentication for critical functions in the public chatflow configuration and OAuth token refresh endpoints when handling requests for public chatflow data and credential refresh operations. A remote attacker can retrieve a credential identifier from exposed flow data and submit a crafted token refresh request to disclose OAuth 2.0 access tokens.

Exploitation requires a self-hosted deployment with a public chatflow configured to use an OAuth 2.0 credential.

How to mitigate CVE-2026-41273

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667

Missing Authentication for Critical Function in Flowise - CVE-2026-41273

Detailed vulnerability description

How to mitigate CVE-2026-41273

Sources

Please verify you're human