CVE-2026-41266: Flowise: Sensitive Data Leak in public-chatbotConfig

April 16, 2026 (updated April 24, 2026)

/api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-4jpm-cgx2-8h37
github.com/advisories/GHSA-4jpm-cgx2-8h37
nvd.nist.gov/vuln/detail/CVE-2026-41266

Code Behaviors & Features

Detect and mitigate CVE-2026-41266 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →