Unauthenticated Remote Command Execution Vulnerability in Flowise by FlowiseAI
CVE-2026-41268

7.7HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41268?

Flowise, created for building customized large language model flows, was susceptible to an unauthenticated remote command execution vulnerability prior to version 3.1.0. This flaw allowed attackers to execute arbitrary system commands with root privileges within the containerized environment by leveraging a parameter override bypass technique through the FILE-STORAGE:: keyword, along with NODE_OPTIONS environment variable injection. Successful exploitation required only a single HTTP request, with no authentication or knowledge of the instance necessary. This vulnerability was addressed in the 3.1.0 release, underscoring the importance of updating immediately.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V3.0

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41268 Data

JSON

Flowiseai

What is CVE-2026-41268?

Affected Version(s)

References

CVSS V3.0

Timeline