Skip to main content

Flowise CVE-2026-56270

| EUVDEUVD-2026-38747 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-24 VulnCheck
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated remote GET on a default endpoint (AV:N/AC:L/PR:N/UI:N); pure secret disclosure with no integrity or availability impact, so C:H, I:N, A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 24, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 12:20 vuln.today
Analysis Generated
Jun 24, 2026 - 12:20 vuln.today
CVE Published
Jun 24, 2026 - 11:53 cve.org
HIGH 8.7

DescriptionCVE.org

Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter. Remote attackers can send a GET request to harvest sensitive API credentials for Google, Microsoft/Azure, GitHub, and Auth0 integrations. This affects FlowiseAI Cloud and self-hosted instances where the endpoint is exposed.

AnalysisAI

Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Flowise instance
Delivery
Obtain or enumerate organizationId UUID
Exploit
Send unauthenticated GET to /api/v1/loginmethod
Execution
Receive cleartext OAuth clientSecrets in JSON
Persist
Replay secrets against Google/Microsoft/GitHub/Auth0
Impact
Mint tokens and pivot into tenant identity provider

Vulnerability AssessmentAI

Exploitation The vulnerable Flowise instance (<=3.0.13) must be network-reachable to the attacker, the /api/v1/loginmethod endpoint must be exposed (true in default configurations including FlowiseAI Cloud and standard self-hosted deployments), and the attacker must supply a valid organizationId UUID for a tenant that has at least one SSO provider configured with non-empty credentials. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high for any internet-exposed Flowise tenant that has configured SSO. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates or obtains a tenant's organizationId - for example from a leaked invite URL, an error response, or by scraping it from a public Flowise instance - then issues a single unauthenticated GET request to https://target/api/v1/loginmethod?organizationId=<uuid>. The 200 OK response contains the tenant's SSO provider records with cleartext clientSecret values, which the attacker then uses with the matching clientID to mint OAuth tokens against Google/Microsoft/GitHub/Auth0 and pivot into the victim organization's identity provider. …
Remediation Vendor-released patch: Flowise 3.1.0 - upgrade the 'flowise' npm package to 3.1.0 or later immediately (see https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6pcv-j4jx-m4vx). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Flowise deployments and confirm version; if running 3.0.13 or earlier, immediately restrict network access to /api/v1/loginmethod endpoint and review access logs for exploitation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2026-56270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy