GHSA-28g4-38q8-3cwc: Flowise: Cypher Injection in GraphCypherQAChain

April 16, 2026

The GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc
github.com/advisories/GHSA-28g4-38q8-3cwc

Code Behaviors & Features

Detect and mitigate GHSA-28g4-38q8-3cwc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →