CVE-2026-41274
Published: Apr 23, 2026
Modified: Apr 24, 2026
Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.
| Vendor | Product | Versions |
|---|---|---|
FlowiseAI | Flowise | affected < 3.1.0 |
FlowiseAI | flowise-components | affected < 3.1.0 |
Weaknesses (CWE)
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now