CVE-2026-41273: Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise

April 16, 2026 (updated April 24, 2026)

Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow.

By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667
github.com/advisories/GHSA-6f7g-v4pp-r667
nvd.nist.gov/vuln/detail/CVE-2026-41273

Code Behaviors & Features

Detect and mitigate CVE-2026-41273 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →