Unsecured Password Reset Functionality in Flowise by FlowiseAI
CVE-2026-41275

7.5HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41275?

Flowise is a drag-and-drop platform designed for building customized flows for large language models. Prior to version 3.1.0, the password reset functionality hosted on cloud.flowiseai.com utilized the unsecured HTTP protocol for sending reset links. This vulnerability exposes users to potential man-in-the-middle (MITM) attacks, allowing an attacker on the same network to intercept the reset link and gain unauthorized access to user accounts. This critical issue has been addressed in Flowise version 3.1.0, which now uses HTTPS to secure the transmission of password reset links.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

https://hackerone.com/reports/1888915

x_refsource_MISC

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41275 Data

JSON

Flowiseai

What is CVE-2026-41275?

Affected Version(s)

References

CVSS V4

Timeline