Skip to main content

FlowiseAI Flowise CVE-2026-8028

| EUVDEUVD-2026-27832 LOW
Information Exposure (CWE-200)
2026-05-06 VulDB
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 06, 2026 - 15:22 NVD
3.7 (LOW) 2.9 (LOW)
Analysis Generated
May 06, 2026 - 15:01 vuln.today

DescriptionCVE.org

A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/services/account.service.ts of the component Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit is now public and may be used. Upgrading the affected component is recommended.

AnalysisAI

FlowiseAI Flowise up to version 3.0.12 allows remote unauthenticated information disclosure through manipulation of the account verification endpoint. An attacker can exploit improper input validation in the verify function of the account service to extract sensitive information over the network. Publicly available exploit code exists, and the vendor has recommended upgrading to address this issue.

Technical ContextAI

The vulnerability resides in the verify function within packages/server/src/enterprise/services/account.service.ts, which handles endpoint authentication and validation logic. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that the verification mechanism fails to properly protect confidential data during processing. The affected component is part of FlowiseAI's enterprise account management system, which is likely responsible for validating user credentials or session tokens. The vulnerability allows attackers to bypass or manipulate this verification process to gain unauthorized access to sensitive information.

RemediationAI

Immediately upgrade FlowiseAI Flowise to a version after 3.0.12. The vendor's official advisory (referenced via VulDB) recommends upgrading the affected component, though the specific target version is not detailed in the provided references. Administrators should check the FlowiseAI GitHub repository or official release notes for the next available version after 3.0.12. Until patching is possible, restrict network access to the Flowise endpoint using firewall rules or reverse proxy authentication to limit exposure to trusted networks only. Disable the account verification endpoint entirely if it is not required for current operations. Additionally, monitor access logs for suspicious requests to the verify endpoint and implement rate limiting on authentication endpoints to reduce exploitation attempts.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2026-8028 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy