Vulnerability Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the "/api/v1/account/reset-password" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flowiseai | Flowise | < 3.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f6hc-c5jr-878pExploitVendor Advisory
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f6hc-c5jr-878pExploitVendor Advisory
FAQ
What is CVE-2026-41276?
CVE-2026-41276 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations o...
How severe is CVE-2026-41276?
CVE-2026-41276 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-41276?
Check the references section above for vendor advisories and patch information. Affected products include: Flowiseai Flowise.