CVE 9.3 CRITICAL

Flowise: Cypher Injection in GraphCypherQAChain_CVE-2026-41274

April 23, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

AI Analysis

Cypher Injection vulnerability in GraphCypherQAChain node, allowing arbitrary Cypher commands execution on the underlying Neo4j database

Basic Information

ID CVE-2026-41274

Source GitHub_M

Published Apr 23, 2026 at 21:12

Affected Product

Vendor FlowiseAI

Product Flowise

Version < 3.1.0

Affected Versions FlowiseAI Flowise < 3.1.0
FlowiseAI flowise-components < 3.1.0

CWE Classification

CWE-943

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor FlowiseAI

Product Flowise

Version < 3.1.0

References

github.com /FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc

{
    "lastseen": "",
    "description": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.",
    "published": "2026-04-23T21:12:51.627Z",
    "modified": "2026-04-23T21:12:51.627Z",
    "type": "cve",
    "title": "Flowise: Cypher Injection in GraphCypherQAChain",
    "source": "GitHub_M",
    "references": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc",
    "id": "CVE-2026-41274",
    "bulletinFamily": "",
    "cwe": [
        "CWE-943"
    ],
    "cvelist": null,
    "sourceData": "FlowiseAI Flowise < 3.1.0\nFlowiseAI flowise-components < 3.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Flowise",
    "version": "< 3.1.0",
    "vendor": "FlowiseAI",
    "ai_description": "Cypher Injection vulnerability in GraphCypherQAChain node, allowing arbitrary Cypher commands execution on the underlying Neo4j database",
    "ai_severity": "Critical",
    "ai_vendor": "FlowiseAI",
    "ai_product": "Flowise",
    "ai_version": "< 3.1.0",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply