A high-severity Cypher injection vulnerability (CVE-2026-41274, CVSS 8.1) has been disclosed in Flowise’s GraphCypherQAChain node.
Allowing authenticated attackers to execute arbitrary Cypher commands directly against connected Neo4j databases, enabling mass data exfiltration, modification, and complete data destruction without any input sanitization barrier.
The flaw resides in the flowise and flowise-components npm packages, both affected in versions ≤ 3.0.13. The vulnerability was formally tracked as CVE-2026-41274 and rated High with a CVSS 3.1 score of 8.1, reflecting the full triad impact across Confidentiality, Integrity, and Availability.
Flowise GraphCypherQAChain Vulnerability
Flowise is a widely used drag-and-drop no-code platform for building customized Large Language Model (LLM) workflows, making it popular among developers building AI-powered applications.
Its GraphCypherQAChain node is specifically used to connect natural language questions to Neo4j graph databases, a pipeline that, in vulnerable versions, lacked input sanitization.
The vulnerability is classified under CWE-943: Improper Neutralization of Special Elements in Data Query Logic, the graph database equivalent of classic SQL injection. The flaw exists in the run method of GraphCypherQAChain.ts (lines 193–219), where raw user input is passed directly into the Cypher execution pipeline:
typescriptconst obj = {
query: input // User input passed directly no sanitization
}
response = await chain.invoke(obj, { callbacks }) This means any string supplied by the user through the chatflow’s prediction API endpoint (/api/v1/prediction/{flowId}) becomes a raw Cypher query against the connected Neo4j instance.
Unlike SQL injection, where databases enforce some structural constraints, Cypher’s expressive power, including DETACH DELETE, CALL, and UNION Clauses, makes unfiltered injection especially destructive.
Attack Prerequisites and Exploitation
To exploit CVE-2026-41274, three conditions must be simultaneously present:
- A Neo4j instance connected to the Flowise server
- A chatflow containing the GraphCypherQAChain node wired to a Chat Model (e.g., ChatOpenAI) and a Neo4j Graph node with valid credentials
- API access (with low-privilege credentials) to the chatflow’s prediction endpoint
The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N confirms that the attack requires network access with low privileges and no user interaction, placing it in the category of easily weaponizable vulnerabilities. Proof-of-concept evidence published with the advisory shows three distinct attack outcomes confirming live exploitation against Neo4j:
1. Schema Enumeration:
The injected payload RETURN 1 as ok UNION CALL db.labels() YIELD label RETURN label LIMIT 5 returned a Neo4j-native error message, confirming that the injected Cypher reaches the database directly.
2. Sensitive Data Exfiltration:
Using MATCH (n) RETURN nAn attacker retrieved full node objects, including sensitive fields such as Social Security Numbers, stored as graph properties.
3. Complete Data Destruction:
The payload MATCH (n) DETACH DELETE n returned an empty JSON response confirming all nodes in the database were wiped.
The practical impact of this vulnerability is severe for any organization deploying Flowise in production with connected Neo4j graph databases. Attackers can perform the following operations with a single API call:
- Data Exfiltration – Read all nodes, relationships, and sensitive properties from the Neo4j database
- Data Modification – Create, update, or alter graph nodes and relationship structures
- Data Destruction – Execute
DETACH DELETEcommands to wipe entire databases irreversibly - Schema Discovery – Enumerate database labels, property keys, and relationship types to facilitate deeper attacks
This vulnerability mirrors a class of injection flaws previously observed in LangChain’s GraphCypherQAChain (CVE-2024-7042), where natural language queries were weaponized to produce malicious Cypher payloads against Neo4j-like databases.
The pattern underscores a systemic risk in AI-to-database pipelines that skip sanitization under the assumption that an LLM acts as a sufficient query filter.
Patch and Remediation
Flowise released the fix in version 3.1.0, which addresses the injection flaw in both the flowise and flowise-components packages. All organizations running Flowise ≤ 3.0.13 with any GraphCypherQAChain-based chatflow must upgrade immediately. Until patching is complete, security teams should apply the following mitigations:
- Disable or isolate any chatflow using the GraphCypherQAChain node from public-facing endpoints
- Restrict API access to the prediction endpoint using strict authentication and IP allowlisting
- Audit Neo4j access logs for anomalous Cypher execution patterns, particularly
DETACH DELETE,UNION, orCALL db. - Enforce Neo4j RBAC to limit the database user connected to Flowise to read-only permissions, where write access is not operationally required.
FAQ
Q1. What is CVE-2026-41274?
CVE-2026-41274 is a high-severity Cypher injection vulnerability (CVSS 8.1) in Flowise’s GraphCypherQAChain node that allows attackers to execute arbitrary Cypher commands against connected Neo4j databases.
Q2. Which versions of Flowise are affected?
All versions of flowise and flowise-components up to and including 3.0.13 are affected; the issue is patched in version 3.1.0.
Q3. Can an attacker exploit this without admin privileges?
Yes, the vulnerability requires only low-privilege API access to the chatflow prediction endpoint and no user interaction, making it easily exploitable by any authenticated user.
Q4. How can organizations detect whether they have already been exploited?
Security teams should audit Neo4j query logs for destructive Cypher patterns such as DETACH DELETE, unexpected UNION queries, or CALL db.labels() enumeration attempts that originate from Flowise API calls.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
