CVE-2026-41274

CRITICAL

Flowise: Cypher Injection in GraphCypherQAChain

Title source: cna

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

References (1)

[X_Refsource_Confirm] https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc

Scores

CVSS v4 9.3

EPSS 0.0010

EPSS Percentile 27.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-943

Status published

Products (2)

FlowiseAI/Flowise < 3.1.0

FlowiseAI/flowise-components < 3.1.0

Published Apr 23, 2026

Tracked Since Apr 24, 2026