CVE-2026-41279

Vulnerability Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0.

Vulnerability Details

Published Date

April 23, 2026

Last Modified

April 23, 2026

CWE ID

CWE-639

Source

NVD

Vendor

FlowiseAI

Product

Flowise

External References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment