Home / Vulnerability Intelligence / CVE-2026-41276

CVE-2026-41276 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 24, 2026

FlowiseAI Flowise - Authentication Bypass

Published: April 23, 2026Updated: April 24, 2026PoC AvailableRemote Exploitable

Overview

FlowiseAI Flowise < 3.1.0 contains an authentication bypass caused by missing reset token validation in the resetPassword method of AccountService, letting remote attackers reset user passwords without authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 18.3%(Probability of exploitation in next 30 days)

Impact

Remote attackers can reset any user's password, leading to full account takeover and unauthorized access.

Mitigation

Update to version 3.1.0 or later.

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f6hc-c5jr-878p

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 25, 2026

🔴 CVE-2026-41276 - Critical (9.8) Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not requ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41276/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41276
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: modified
EPSS: 18.3%
Social Posts: 1

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

18.3%Probability of exploitation in the next 30 days