Skip to main content

Flowise CVE-2026-46444

| EUVDEUVD-2026-35102 HIGH
Missing Authorization (CWE-862)
2026-05-14 https://github.com/FlowiseAI/Flowise GHSA-hmg2-jjjx-jcp2
8.7
CVSS 4.0 · Vendor: https://github.com/FlowiseAI/Flowise
Share

Severity by source

Vendor (https://github.com/FlowiseAI/Flowise) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/FlowiseAI/Flowise) · only source for this CVE.

CVSS VectorVendor: https://github.com/FlowiseAI/Flowise

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 08, 2026 - 16:40 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 08, 2026 - 16:39 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 08, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jun 08, 2026 - 16:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 14, 2026 - 21:45 vuln.today
Analysis Generated
May 14, 2026 - 21:45 vuln.today
CVE Published
May 14, 2026 - 16:19 nvd
HIGH

DescriptionCVE.org

FINDING 4: OpenAI Assistants Vector Store - No Auth on CRUD Operations

Severity: HIGH (CVSS ~8.1) Type: CWE-306 (Missing Authentication for Critical Function) File: packages/server/src/routes/openai-assistants-vector-store/index.ts

Description: ALL CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware AND the route path /api/v1/openai-assistants-vector-store is NOT in WHITELIST_URLS. However, it is also NOT protected by the main auth middleware when accessed via API key - the route requires API key auth (not whitelisted), but NO permission checks exist on any operation.

The real issue is that the routes have no checkAnyPermission() middleware, meaning any authenticated user regardless of role can:

  • Create vector stores
  • Upload files to vector stores
  • Delete vector stores and files
  • Modify any vector store

Evidence:

typescript
// No permission middleware on any route
router.post('/', controller.createAssistantVectorStore)          // No permission check
router.put(['/', '/:id'], controller.updateAssistantVectorStore) // No permission check
router.delete(['/', '/:id'], controller.deleteAssistantVectorStore) // No permission check
router.post('/:id', getMulterStorage().array('files'), controller.uploadFilesToAssistantVectorStore) // No permission check

Impact: Any authenticated user can manipulate OpenAI vector stores, upload malicious files, delete data, or exfiltrate stored documents regardless of their assigned permissions.

AnalysisAI

Broken access control in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated user to perform unauthorized CRUD operations on OpenAI Assistants Vector Stores via the /api/v1/openai-assistants-vector-store endpoints. The route handlers lack the checkAnyPermission() middleware applied to other privileged endpoints, so role-based access controls are bypassed entirely once an attacker has any valid API key or session. No public exploit is identified at time of analysis, but the fix is bundled in the FlowiseAI security release 3.1.2 alongside several other authorization fixes.

Technical ContextAI

Flowise is an open-source low-code platform (npm package flowise) for building LLM applications and agentic workflows, which integrates with OpenAI's Assistants API including its vector store feature for retrieval-augmented generation. The vulnerability is rooted in CWE-862 (Missing Authorization) - closely related to CWE-306 cited in the advisory - where the Express router at packages/server/src/routes/openai-assistants-vector-store/index.ts registers POST, PUT, DELETE, and file-upload handlers without chaining the checkAnyPermission() middleware that the rest of the codebase uses to enforce role-based access. Because the path is also not on WHITELIST_URLS, an API key or authenticated session is required to reach it, but once past authentication there is no per-operation authorization check, so the platform's RBAC model does not apply to vector store management or file uploads.

RemediationAI

Vendor-released patch: flowise 3.1.2 - upgrade the flowise npm package or container image to 3.1.2 or later, as documented in the release notes at https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2 and the advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hmg2-jjjx-jcp2. If immediate upgrade is not possible, place a reverse proxy or WAF rule in front of Flowise to block external requests to /api/v1/openai-assistants-vector-store and restrict that path to a trusted admin source IP range, accepting that legitimate vector store management from other users will also be blocked. Additionally, audit and rotate Flowise API keys and review user roles to minimize the number of low-privilege accounts that could abuse the endpoint until the patched version is deployed, and review vector store contents for unexpected uploads or deletions that may have occurred prior to remediation.

Share

CVE-2026-46444 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy