Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/FlowiseAI/Flowise) · only source for this CVE.
CVSS VectorVendor: https://github.com/FlowiseAI/Flowise
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
FINDING 4: OpenAI Assistants Vector Store - No Auth on CRUD Operations
Severity: HIGH (CVSS ~8.1) Type: CWE-306 (Missing Authentication for Critical Function) File: packages/server/src/routes/openai-assistants-vector-store/index.ts
Description: ALL CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware AND the route path /api/v1/openai-assistants-vector-store is NOT in WHITELIST_URLS. However, it is also NOT protected by the main auth middleware when accessed via API key - the route requires API key auth (not whitelisted), but NO permission checks exist on any operation.
The real issue is that the routes have no checkAnyPermission() middleware, meaning any authenticated user regardless of role can:
- Create vector stores
- Upload files to vector stores
- Delete vector stores and files
- Modify any vector store
Evidence:
// No permission middleware on any route
router.post('/', controller.createAssistantVectorStore) // No permission check
router.put(['/', '/:id'], controller.updateAssistantVectorStore) // No permission check
router.delete(['/', '/:id'], controller.deleteAssistantVectorStore) // No permission check
router.post('/:id', getMulterStorage().array('files'), controller.uploadFilesToAssistantVectorStore) // No permission checkImpact: Any authenticated user can manipulate OpenAI vector stores, upload malicious files, delete data, or exfiltrate stored documents regardless of their assigned permissions.
AnalysisAI
Broken access control in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated user to perform unauthorized CRUD operations on OpenAI Assistants Vector Stores via the /api/v1/openai-assistants-vector-store endpoints. The route handlers lack the checkAnyPermission() middleware applied to other privileged endpoints, so role-based access controls are bypassed entirely once an attacker has any valid API key or session. No public exploit is identified at time of analysis, but the fix is bundled in the FlowiseAI security release 3.1.2 alongside several other authorization fixes.
Technical ContextAI
Flowise is an open-source low-code platform (npm package flowise) for building LLM applications and agentic workflows, which integrates with OpenAI's Assistants API including its vector store feature for retrieval-augmented generation. The vulnerability is rooted in CWE-862 (Missing Authorization) - closely related to CWE-306 cited in the advisory - where the Express router at packages/server/src/routes/openai-assistants-vector-store/index.ts registers POST, PUT, DELETE, and file-upload handlers without chaining the checkAnyPermission() middleware that the rest of the codebase uses to enforce role-based access. Because the path is also not on WHITELIST_URLS, an API key or authenticated session is required to reach it, but once past authentication there is no per-operation authorization check, so the platform's RBAC model does not apply to vector store management or file uploads.
RemediationAI
Vendor-released patch: flowise 3.1.2 - upgrade the flowise npm package or container image to 3.1.2 or later, as documented in the release notes at https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2 and the advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hmg2-jjjx-jcp2. If immediate upgrade is not possible, place a reverse proxy or WAF rule in front of Flowise to block external requests to /api/v1/openai-assistants-vector-store and restrict that path to a trusted admin source IP range, accepting that legitimate vector store management from other users will also be blocked. Additionally, audit and rotate Flowise API keys and review user roles to minimize the number of low-privilege accounts that could abuse the endpoint until the patched version is deployed, and review vector store contents for unexpected uploads or deletions that may have occurred prior to remediation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35102
GHSA-hmg2-jjjx-jcp2