Flowise RCE: Unauthenticated Command Execution

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-20
Flowise RCE: Unauthenticated Command Execution

The National Vulnerability Database has disclosed CVE-2026-41268, a critical unauthenticated remote command execution (RCE) vulnerability in Flowise, a drag-and-drop UI for building LLM flows. Prior to version 3.1.0, Flowise instances are exposed to arbitrary system command execution with root privileges, requiring no authentication or prior knowledge of the instance.

This RCE is exploitable via a parameter override bypass, specifically leveraging the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. A single HTTP request is all it takes for an attacker to gain control. The National Vulnerability Database assigns this a CVSS score of 7.7 (HIGH), with a vector indicating network-exploitable, low attack complexity, and high impact on confidentiality and integrity.

For defenders, this is a clear and present danger. Unauthenticated RCEs are the crown jewels for attackers, providing immediate and deep access. The ease of exploitation means any internet-facing Flowise instance not yet patched is a sitting duck. This isn’t theoretical; it’s a direct path to compromise.

What This Means For You

  • If your organization uses Flowise, you need to check your version immediately. Patch to 3.1.0 or newer without delay. Prioritize this, as unauthenticated RCE with root privileges is as bad as it gets. Scan your network for unpatched Flowise instances exposed to the internet.
🛡️ Am I exposed to this? Get detection rules for CVE-2026-41268 — Splunk, Sentinel, Elastic, QRadar & more

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1647 Container Escape Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Flowise RCE via FILE-STORAGE parameter override - CVE-2026-41268

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41268 Vulnerability CVE-2026-41268

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 23, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6732 — Libxml2 Denial of Service

CVE-2026-6732 — A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-843
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

OpenShell Mirror Mode Allows Arbitrary Code Execution

CVE-2026-41355 — OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror...

vulnerabilityCVEhigh-severitycode-executioncwe-829
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma

OpenClaw: High-Severity Access Control Bypass Looms

CVE-2026-41353 — OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile...

vulnerabilityCVEhigh-severitycwe-472
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma