CVE-2026-41268 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 24, 2026
Flowise - Remote Code Execution
Overview
Flowise < 3.1.0 contains a remote code execution caused by parameter override bypass using FILE-STORAGE:: keyword and NODE_OPTIONS environment variable injection, letting unauthenticated attackers execute arbitrary system commands with root privileges, exploit requires no authentication.
Severity & Score
Impact
Unauthenticated attackers can execute arbitrary system commands with root privileges, leading to full system compromise.
Mitigation
Upgrade to version 3.1.0 or later.
Social Media Activity(2 posts)
š CVE-2026-41268 - High (7.7) Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override... š https://www.thehackerwire.com/vulnerability/CVE-2026-41268/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-41268 - High (7.7) Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override... š https://www.thehackerwire.com/vulnerability/CVE-2026-41268/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-41268
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- confirmed
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-20
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H