CVE-2026-41278 Overview
CVE-2026-41278 is an Information Disclosure vulnerability in Flowise, a drag-and-drop user interface for building customized large language model (LLM) flows. Prior to version 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without proper sanitization for public chatflows. Docker validation revealed this issue is more severe than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows and public-chatbotConfig endpoints return completely raw flowData including credential IDs, plaintext API keys, and password-type fields.
Critical Impact
Unauthenticated attackers can access sensitive credentials, API keys, and passwords through public-facing API endpoints, potentially compromising connected LLM services and backend systems.
Affected Products
- Flowise versions prior to 3.1.0
- Flowise Docker image v3.0.13 and earlier
- Flowise deployments exposing public chatflow endpoints
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41278 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41278
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in the public API endpoints that are designed to serve chatflow configurations to anonymous users. The core issue is that these endpoints return the complete, unfiltered chatflow object directly from the database without removing sensitive fields.
The attack can be executed remotely over the network without any authentication or user interaction required. An attacker simply needs to know or enumerate valid chatflow IDs to extract sensitive data. The impact is significant as exposed credentials could provide access to third-party AI services (OpenAI, Anthropic, etc.), databases, or other integrated systems.
Root Cause
The root cause is a missing data sanitization function in production releases. While developers may have intended to implement sanitizeFlowDataForPublicEndpoint to strip sensitive fields from public API responses, this function was either never implemented or not included in the released Docker images. As a result, the public-chatflows and public-chatbotConfig endpoints serve raw database records containing credential IDs, plaintext API keys, and password-type configuration fields.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by sending unauthenticated GET requests to the /api/v1/public-chatflows/:id or /api/v1/public-chatbotConfig/:id endpoints. The response includes the complete flowData object with all sensitive fields intact.
The vulnerability is particularly dangerous because:
- Public chatflows are intended to be accessible without authentication
- Chatflow IDs may be predictable or enumerable
- The exposed data includes credentials for third-party services that could be used for lateral attacks
The vulnerability manifests when public API endpoints are accessed without proper field-level access controls. Technical details and the full security advisory are available at the GitHub Security Advisory.
Detection Methods for CVE-2026-41278
Indicators of Compromise
- Unusual volume of requests to /api/v1/public-chatflows/ or /api/v1/public-chatbotConfig/ endpoints
- Sequential or brute-force enumeration patterns of chatflow IDs in access logs
- Authentication failures or suspicious activity on third-party services using exposed API keys
- Unexpected API key usage or billing anomalies from integrated LLM providers
Detection Strategies
- Monitor HTTP access logs for GET requests to /api/v1/public-chatflows/:id and /api/v1/public-chatbotConfig/:id endpoints
- Implement rate limiting and alerting on enumeration attempts targeting chatflow endpoints
- Audit API key usage on integrated services (OpenAI, Anthropic, etc.) for unauthorized access
- Deploy web application firewall (WAF) rules to detect credential enumeration patterns
Monitoring Recommendations
- Enable detailed access logging for all Flowise API endpoints
- Configure alerts for high-frequency requests from single IP addresses to public endpoints
- Implement anomaly detection for unusual patterns in chatflow ID access
- Monitor third-party service dashboards for unexpected API key activity
How to Mitigate CVE-2026-41278
Immediate Actions Required
- Upgrade Flowise to version 3.1.0 or later immediately
- Rotate all API keys and credentials stored in chatflow configurations
- Audit access logs for potential exploitation prior to patching
- Consider temporarily disabling public chatflow endpoints until patched
Patch Information
The vulnerability is fixed in Flowise version 3.1.0. Organizations should upgrade to this version or later to remediate the vulnerability. The fix implements proper sanitization of sensitive fields before returning chatflow data through public API endpoints.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Restrict access to public chatflow endpoints via reverse proxy or firewall rules until patching is possible
- Remove or redact sensitive credentials from chatflow configurations temporarily
- Implement network-level access controls to limit who can reach the Flowise API
- Use environment variables or external secret management instead of storing credentials directly in chatflow configurations
# Example: Block public chatflow endpoints via nginx until patched
location ~ ^/api/v1/public-(chatflows|chatbotConfig)/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
