CVE-2026-41268 HIGH

CVE-2026-41268: Flowise: Flowise Parameter Override Bypass Remote Command Execution

Vendor Flowiseai

Product Flowise

Weakness CWE-20 · Input validation

Published April 23, 2026

Last update April 23, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.

Key dates

02Disclosure timeline

April 23, 2026 CVE published

April 23, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41268 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2026-41268: Flowise: Flowise Parameter Override Bypass Remote Command Execution

01Description

02Disclosure timeline

03References

04Related CVE