Authentication Bypass Vulnerability in Flowise by FlowiseAI
CVE-2026-41276

7.7HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41276?

Flowise, an intuitive drag-and-drop user interface for creating large language model flows, has a significant security flaw in its AccountService class prior to version 3.1.0. This vulnerability allows remote attackers to bypass authentication protocols, enabling them to reset user passwords without proper verification. By exploiting this flaw, an attacker can craft a request to the '/api/v1/account/reset-password' endpoint using a null or empty reset token, which is stored by default when a user has not generated a reset token or has previously reset their password. As a result, an attacker who knows a user's email can easily compromise their account by setting a new password of their choice. This vulnerability has been addressed in version 3.1.0.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41276 Data

JSON

Flowiseai

What is CVE-2026-41276?

Affected Version(s)

References

CVSS V4

Timeline