← Volver a CVEs
CVE-2026-41268
N/ADescripcion
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.
Detalles CVE
Puntuacion CVSS v3.1N/A
Publicado4/23/2026
Ultima modificacion4/23/2026
Fuentenvd
Avistamientos honeypot0
Debilidades (CWE)
CWE-20
Referencias
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cvrr-qhgw-2mm6(security-advisories@github.com)
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cvrr-qhgw-2mm6(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.