Flowise Auth Bypass CVE-2026-41276 Lets Attackers Reset Passwords
CVE-2026-41276 (CVSS 8.1) in Flowise AccountService resetPassword lets unauthenticated attackers bypass authentication. ZDI advisory warns no auth required.
Executive Summary
A critical authentication bypass vulnerability in Flowise, an open-source low-code platform for building LLM applications, allows remote attackers to reset passwords without any credentials. Tracked as CVE-2026-41276 and disclosed by the Zero Day Initiative (ZDI) on April 28, 2026, the flaw carries a CVSS score of 8.1. No authentication is required to exploit the issue, which resides in the AccountService resetPassword endpoint.
Technical Analysis
According to the ZDI advisory (ZDI-26-300), the vulnerability exists in Flowise's AccountService.resetPassword method. The specific flaw stems from improper validation of authentication tokens during password reset requests. An attacker can craft a malicious HTTP request to the resetPassword endpoint, bypassing the intended authentication checks and resetting a target user's password without knowledge of the current password or possession of a valid session token.
The ZDI notes that the attack is remotely exploitable over a network and requires no user interaction or special privileges. The CVSS 8.1 rating reflects the high impact on confidentiality, integrity, and availability, as a successful exploit grants an attacker full access to the compromised account, including any associated LLM workflows, API keys, and stored data.
Flowise is widely used by developers and enterprises to build AI-powered applications without deep coding. The platform's popularity in low-code AI development makes this vulnerability particularly concerning, as compromised accounts could lead to data exfiltration or further lateral movement within connected systems.
Mitigations & Recommendations
As of the advisory publication date, no official patch or workaround has been released by the Flowise maintainers. Defenders should immediately audit their Flowise deployments for any suspicious password reset activity, particularly from unrecognized IP addresses or outside normal business hours. Organizations should restrict network access to the Flowise management interface to trusted internal networks only, using firewall rules or VPNs. Monitoring logs for repeated password reset attempts targeting multiple accounts is advised. If possible, temporarily disable the password reset functionality until a patch is available.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
