CVE-2026-41268

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0

Description Flowise is a drag and drop user interface for building customized large language model flows. An unauthenticated remote command execution issue exists where a parameter override bypass can be achieved using the 'FILE-STORAGE::' keyword combined with a NODE OPTIONS environment variable injection. This allows an attacker to execute arbitrary system commands with root privileges within the containerized instance via a single HTTP request without requiring authentication.

Recommendations Update to version 3.1.0.