NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-41273

Summary	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.
Publication Date	April 24, 2026, 5:16 a.m.
Registration Date	April 25, 2026, 4:06 a.m.
Last Update	April 25, 2026, 1:35 a.m.

CVSS3.1 : HIGH
スコア	8.2
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	低
可用性への影響(A)	なし

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:flowiseai:flowise::::::::					3.1.0

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667	security-advisories@github.com

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-306	重要な機能に対する認証の欠如解説	https://cwe.mitre.org/data/definitions/306.html