CVE-2026-41274
Flowise: Cypher Injection in GraphCypherQAChain
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.
| CWE | CWE-943 |
| Vendor | flowiseai |
| Product | flowise |
| Published | Apr 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for flowiseai flowise
Be the first to know when new unknown vulnerabilities affecting flowiseai flowise are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
FlowiseAI / Flowise
< 3.1.0
FlowiseAI / flowise-components
< 3.1.0