CVE-2026-41274

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc

Configurations

No configuration.

History

24 Apr 2026, 19:17

Type	Values Removed	Values Added
References	~~() https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc -~~	() https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc -

23 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-23 22:16

Updated : 2026-04-24 19:17

NVD link : CVE-2026-41274

Mitre link : CVE-2026-41274

CVE.ORG link : CVE-2026-41274

JSON object : View

Products Affected

No product.

CWE

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

{"id": "CVE-2026-41274", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-23T22:16:38.740", "references": [{"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc", "source": "security-advisories@github.com"}, {"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-943"}]}], "descriptions": [{"lang": "en", "value": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0."}], "lastModified": "2026-04-24T19:17:11.643", "sourceIdentifier": "security-advisories@github.com"}