CVE-2026-41273

HIGH

Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow

Title source: cna

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.

References (1)

[X_Refsource_Confirm] https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667

Scores

CVSS v3 8.2

EPSS 0.0007

EPSS Percentile 21.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (2)

flowiseai/flowise < 3.1.0

FlowiseAI/Flowise < 3.1.0

Published Apr 23, 2026

Tracked Since Apr 24, 2026