CVE-2026-41266 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: April 24, 2026
Flowise - Information Disclosure
Published: April 23, 2026Updated: April 24, 2026PoC AvailableRemote Exploitable
Overview
Flowise < 3.1.0 contains an information disclosure vulnerability caused by unauthenticated access to /api/v1/public-chatbotConfig/:id endpoint, letting attackers retrieve sensitive API keys and internal configuration, exploit requires knowledge of chatflow UUID.
Severity & Score
Severity: High
CVSS Score: 7.5
Impact
Attackers can steal credentials and sensitive configuration data, leading to potential unauthorized access and further compromise.
Mitigation
Update to version 3.1.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41266
- Severity
- High
- CVSS Score
- 7.5
- Type
- information_disclosure
- Status
- confirmed
CWE
- CWE-200
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N