CVE-2026-41274

Sažetak

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

Reference

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

24-04-2026 - 19:17

Objavljeno

23-04-2026 - 22:16