Remote Code Execution Vulnerability in Flowise by FlowiseAI
CVE-2026-41269

7.1HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41269?

Flowise, a drag & drop user interface for custom large language model flows, has a vulnerability that affects versions prior to 3.1.0. The Chatflow configuration file upload settings can be misconfigured, allowing the application/javascript MIME type to be accepted. As a result, attackers can exploit this flaw to upload malicious JavaScript (.js) files, which are typically restricted. This can lead to the persistent storage of harmful Node.js web shells on the server, resulting in unauthorized remote code execution capabilities. To mitigate this risk, users are advised to upgrade to version 3.1.0, where this exploit has been addressed.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41269 Data

JSON

Flowiseai

What is CVE-2026-41269?

Affected Version(s)

References

CVSS V3.1

Timeline