CVE-2026-41274

CriticalPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary…

Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates input validation to sanitize user-provided input before forwarding to the Cypher query execution pipeline, preventing arbitrary command injection.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like this Cypher injection vulnerability by upgrading to Flowise 3.1.0 or later.

AC-6 Least Privilege partial match

prevent

Limits the impact of injected Cypher commands by enforcing least privilege on the underlying Neo4j database user account.

Security SummaryAI

CVE-2026-41274 is a Cypher injection vulnerability (CWE-943) in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. In versions prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline of the underlying Neo4j database without proper sanitization. This flaw, published on 2026-04-23 and assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enables attackers to inject and execute arbitrary Cypher commands.

The vulnerability can be exploited by any unauthenticated remote attacker who can provide malicious input to the GraphCypherQAChain node. Successful exploitation grants full control over the Neo4j database, allowing data exfiltration, modification, or deletion depending on the injected commands and database permissions.

The official Flowise security advisory (GHSA-28g4-38q8-3cwc) states that the vulnerability is fixed in version 3.1.0 through proper input sanitization in the GraphCypherQAChain node. Practitioners should upgrade to Flowise 3.1.0 or later and review Neo4j database access controls as an interim measure.

Details

CWE(s): CWE-943

Affected Products

flowiseai

flowise

≤ 3.1.0

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: Privacy and Disclosure
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: large language model

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct unauthenticated remote Cypher injection into a public-facing Flowise web application node, matching T1190 Exploit Public-Facing Application; enables arbitrary database query execution leading to data exfil/modification/deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0