CVE-2026-41274: Flowise: Cypher Injection in GraphCypherQAChain

April 16, 2026 (updated April 24, 2026)

The GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc
github.com/advisories/GHSA-28g4-38q8-3cwc
nvd.nist.gov/vuln/detail/CVE-2026-41274

Code Behaviors & Features

Detect and mitigate CVE-2026-41274 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →