Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/services/account.service.ts of the component Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit is now public and may be used. Upgrading the affected component is recommended.
AnalysisAI
FlowiseAI Flowise up to version 3.0.12 allows remote unauthenticated information disclosure through manipulation of the account verification endpoint. An attacker can exploit improper input validation in the verify function of the account service to extract sensitive information over the network. Publicly available exploit code exists, and the vendor has recommended upgrading to address this issue.
Technical ContextAI
The vulnerability resides in the verify function within packages/server/src/enterprise/services/account.service.ts, which handles endpoint authentication and validation logic. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that the verification mechanism fails to properly protect confidential data during processing. The affected component is part of FlowiseAI's enterprise account management system, which is likely responsible for validating user credentials or session tokens. The vulnerability allows attackers to bypass or manipulate this verification process to gain unauthorized access to sensitive information.
RemediationAI
Immediately upgrade FlowiseAI Flowise to a version after 3.0.12. The vendor's official advisory (referenced via VulDB) recommends upgrading the affected component, though the specific target version is not detailed in the provided references. Administrators should check the FlowiseAI GitHub repository or official release notes for the next available version after 3.0.12. Until patching is possible, restrict network access to the Flowise endpoint using firewall rules or reverse proxy authentication to limit exposure to trusted networks only. Disable the account verification endpoint entirely if it is not required for current operations. Additionally, monitor access logs for suspicious requests to the verify endpoint and implement rate limiting on authentication endpoints to reduce exploitation attempts.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27832