Skip to main content

FlowiseAI Flowise CVE-2026-8026

| EUVDEUVD-2026-27824 MEDIUM
Information Exposure (CWE-200)
2026-05-06 VulDB GHSA-8f47-4rh3-x44m
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 06, 2026 - 14:01 vuln.today
Severity Changed
May 06, 2026 - 13:22 NVD
LOW MEDIUM
CVSS changed
May 06, 2026 - 13:22 NVD
3.7 (LOW) 6.3 (MEDIUM)

DescriptionCVE.org

A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.

AnalysisAI

Information disclosure in FlowiseAI Flowise up to version 3.0.12 allows remote attackers to extract sensitive data through the Login function in the API Response Handler component. The vulnerability requires high attack complexity and is difficult to exploit, but successful exploitation results in confidentiality impact without authentication requirements. No public confirmation of active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability exists in the Login function within packages/server/src/enterprise/services/account.service.ts, which handles authentication responses in the Flowise API layer. The flaw is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating improper data protection or overly permissive information exposure in the authentication response handler. The API Response Handler component processes login requests and constructs responses; the flaw likely permits attackers to extract sensitive account or system information through crafted requests or response manipulation despite authentication controls.

RemediationAI

Upgrade FlowiseAI Flowise to version 3.0.13 or later to remediate this vulnerability; a patched version addressing the Login function information disclosure has been made available. Users should apply the upgrade immediately for internet-facing deployments. If upgrade is not immediately possible, restrict network access to the Flowise API endpoint using network segmentation, firewall rules, or reverse proxy authentication to limit exposure to trusted internal networks only. Monitor API response logs for unusual Login function calls or responses containing unexpected sensitive data leakage. No configuration-level workaround is available; patching is the primary remediation path.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2026-8026 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy