Sensitive Data Exposure in Flowise Drag & Drop User Interface
CVE-2026-41266

7.7HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41266?

The Flowise drag & drop user interface, prior to version 3.1.0, is vulnerable to sensitive data exposure due to inadequate authentication protocols. Specifically, the /api/v1/public-chatbotConfig/:id endpoint allows an attacker to extract sensitive information such as stored API keys, authorization headers, and internal configuration details simply by possessing the chatflow UUID. This lack of secure access control endangers the integrity of stored credentials, potentially leading to significant security breaches. Users are advised to upgrade to version 3.1.0 or above to mitigate the risks associated with this vulnerability.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41266 Data

JSON

Flowiseai

What is CVE-2026-41266?

Affected Version(s)

References

CVSS V4

Timeline