CVE-2026-41268
Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flowisenpm | < 3.1.0 | 3.1.0 |
flowise-componentsnpm | < 3.1.0 | 3.1.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/FlowiseAI/Flowise/security/advisories/GHSA-cvrr-qhgw-2mm6nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-cvrr-qhgw-2mm6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41268ghsaADVISORY
News mentions
0No linked articles in our index yet.