CVE-2026-41275: CWE-319: Cleartext Transmission of Sensitive Information in FlowiseAI Flowise
FlowiseAI Flowise versions prior to 3. 1. 0 transmit password reset links over unsecured HTTP instead of HTTPS. This cleartext transmission exposes users to man-in-the-middle (MITM) attacks, allowing attackers on the same network to intercept reset links and potentially gain unauthorized account access. The vulnerability is identified as CWE-319 and has a CVSS 4. 0 score of 7. 5 (high severity). The issue is fixed starting with version 3. 1. 0.
AI Analysis
Technical Summary
CVE-2026-41275 is a vulnerability in FlowiseAI Flowise where the password reset functionality on cloud.flowiseai.com sends reset password links over HTTP rather than HTTPS in versions before 3.1.0. This cleartext transmission of sensitive information (CWE-319) enables attackers on the same network to intercept the reset link via man-in-the-middle attacks. The vulnerability has a CVSS 4.0 score of 7.5, indicating high severity. The flaw is resolved in Flowise version 3.1.0.
Potential Impact
An attacker positioned on the same network as a victim can intercept the password reset link sent over HTTP, potentially allowing unauthorized access to the victim’s account. This compromises account confidentiality and integrity. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Flowise to version 3.1.0 or later, where the password reset functionality uses HTTPS to securely transmit reset links. Patch status is not explicitly stated but the vulnerability is fixed in version 3.1.0, so updating to this version or newer is the recommended remediation.
CVE-2026-41275: CWE-319: Cleartext Transmission of Sensitive Information in FlowiseAI Flowise
Description
FlowiseAI Flowise versions prior to 3. 1. 0 transmit password reset links over unsecured HTTP instead of HTTPS. This cleartext transmission exposes users to man-in-the-middle (MITM) attacks, allowing attackers on the same network to intercept reset links and potentially gain unauthorized account access. The vulnerability is identified as CWE-319 and has a CVSS 4. 0 score of 7. 5 (high severity). The issue is fixed starting with version 3. 1. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41275 is a vulnerability in FlowiseAI Flowise where the password reset functionality on cloud.flowiseai.com sends reset password links over HTTP rather than HTTPS in versions before 3.1.0. This cleartext transmission of sensitive information (CWE-319) enables attackers on the same network to intercept the reset link via man-in-the-middle attacks. The vulnerability has a CVSS 4.0 score of 7.5, indicating high severity. The flaw is resolved in Flowise version 3.1.0.
Potential Impact
An attacker positioned on the same network as a victim can intercept the password reset link sent over HTTP, potentially allowing unauthorized access to the victim’s account. This compromises account confidentiality and integrity. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Flowise to version 3.1.0 or later, where the password reset functionality uses HTTPS to securely transmit reset links. Patch status is not explicitly stated but the vulnerability is fixed in version 3.1.0, so updating to this version or newer is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T14:01:46.802Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ea782a87115cfb6850f85d
Added to database: 4/23/2026, 7:51:06 PM
Last enriched: 4/23/2026, 8:06:07 PM
Last updated: 4/23/2026, 9:02:01 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.