Flowise
Monthly
Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.
Authentication bypass in Flowise 3.0.13 and earlier lets unauthenticated remote attackers forge valid signed session cookies and impersonate any user, including administrators. The flaw stems from a publicly known hardcoded default secret ('flowise') used by the express-session middleware whenever the EXPRESS_SESSION_SECRET environment variable is left unset - the default deployment state. No public exploit identified at time of analysis, but forgery is trivial since the signing key is visible in the source code, and CVSS 4.0 rates it 9.3 (Critical).
Cross-origin request forgery via a hardcoded CORS wildcard in Flowise's text-to-speech endpoint (versions before 3.1.2) allows any malicious webpage to trigger TTS generation using a victim's stored credentials. The controller file `packages/server/src/controllers/text-to-speech/index.ts` unconditionally sets `Access-Control-Allow-Origin: *`, directly overriding the server's restrictive `getCorsOptions()` CORS policy for that route. No public exploit is identified at time of analysis, but the attack requires only basic web scripting skill given the straightforward CORS bypass mechanism.
Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.
Arbitrary file write leading to remote code execution in FlowiseAI Flowise (versions <= 2.2.7) lets unauthenticated remote attackers overwrite any file on the host via the /api/v1/document-store/loader/process endpoint. The fileName parameter is passed unsanitized into path.join() inside storageUtils.ts, so ../ sequences escape the storage directory; overwriting package.json injects a malicious start script that executes on the next application restart. Publicly available exploit code exists (vendor GHSA PoC overwriting package.json), and the issue carries a CVSS 4.0 base score of 10.0; no public active-exploitation listing was identified at time of analysis.
Remote code execution in Flowise (versions 2.2.7-patch.1 through pre-3.0.6) lets attackers run arbitrary OS commands by abusing the Custom MCP feature, which is intended to spawn local MCP servers via tools like npx. Because the default installation runs with no authentication (unless FLOWISE_USERNAME/FLOWISE_PASSWORD are set) and lacks role-based access control, an attacker can POST a crafted JSON payload bearing the 'x-request-from: internal' header to /api/v1/node-load-method/customMCP and fully compromise the host container. Publicly available exploit code exists in the GHSA advisory, including a reverse-shell payload via nc.
Persistent session hijacking in Flowise 3.0.7 and earlier (fixed in 3.0.10) lets an attacker retain authenticated access to a victim's account even after the victim changes their password, because the application never invalidates pre-existing sessions or session tokens on credential rotation (CWE-613). Anyone holding a stolen token or a device left logged in keeps full access, defeating the primary remediation users rely on after a suspected compromise. A working proof-of-concept is published in the vendor's GHSA advisory; publicly available exploit code exists, but there is no public exploit identified as actively exploited in the wild and it is not on the CISA KEV list.
Arbitrary file read and write in FlowiseAI Flowise (versions 2.2.8 through 3.0.5) lets remote unauthenticated attackers traverse the filesystem because the chatflowId and chatId parameters are never validated as UUIDs or numbers. By supplying a path-traversal value such as '../../../../../tmp' as the chatflow id, an attacker can write controlled files via the /api/v1/chatflows endpoint and read arbitrary files via /api/v1/get-upload-file and /api/v1/openai-assistants-file/download - and the file-write primitive can be escalated to remote code execution. A proof-of-concept is published in the GHSA advisory, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.
Unauthenticated arbitrary file upload in Flowise (versions through 2.2.7) lets remote attackers write malicious files to arbitrary locations on the server via the whitelisted /api/v1/attachments endpoint when storageType is set to local (the default). Because the chatId and chatflowId parameters are vulnerable to path traversal, an attacker can escape the intended upload directory and drop a webshell or other executable payload, leading to remote code execution and full server compromise. No public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 4.0 9.3) and was reported by VulnCheck with a vendor security advisory.
Account takeover in Flowise (the open-source low-code LLM application builder) before version 3.0.10 stems from the account settings Security section accepting a password change without requiring the current password or any re-verification. Any authenticated user - or an attacker who hijacks or coerces an existing authenticated session - can silently reset the account credential and seize full control of the account. Publicly available exploit code exists (documented PoC with repro steps and screenshot in the GitHub Security Advisory GHSA-fjh6-8679-9pch), but there is no public exploit identified as actively exploited and it is not listed in CISA KEV.
Authentication bypass in Flowise on-premise (npm package 'flowise', version 3.0.1 and earlier) lets unauthenticated remote attackers POST to the /api/v1/account/register endpoint to self-provision arbitrary user accounts and then log in, obtaining full API access without any prior credentials. The endpoint is open by default and the registration request is reusable, so an attacker can repeatedly create privileged ('type':'pro') accounts. A working proof-of-concept exists (publicly available exploit code exists via the VulnCheck/GHSA advisory), and the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact.
Unauthenticated arbitrary file read in Flowise before 3.0.6 lets remote attackers traverse outside the storage directory via the unvalidated chatId parameter on the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints, reading sensitive files such as /root/.flowise/database.sqlite and dumping the entire application database in default deployments. The flaw was reported by VulnCheck with a vendor security advisory (GHSA-99pg-hqvx-r4gf), and while no public exploit was identified at time of analysis, the root cause and code path are fully documented in the advisory, lowering the barrier to weaponization. CVSS 4.0 base score is 8.7 (High), reflecting network-reachable, no-authentication, no-interaction exploitation with high confidentiality impact.
Flowise versions up to and including 3.0.12 hash passwords using bcrypt with a default cost factor of 5 rounds - yielding only 32 iterations versus the OWASP-recommended minimum of 1,024 at 10 rounds - making stored password hashes approximately 30 times faster to crack with modern GPU hardware. All deployments where the PASSWORD_SALT_HASH_ROUNDS environment variable has not been manually overridden to 10 or higher are affected, which represents the majority of real-world installs since defaults predominate. In a database breach scenario, an attacker who obtains the hash table can leverage GPU-accelerated tools to recover plaintext passwords at roughly 300,000 attempts per second versus ~10,000 at the recommended work factor; no public exploit identified at time of analysis.
Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.
Flowise versions 3.0.13 and earlier silently fall back to a hardcoded AES-256-CBC encryption key derived from the publicly known literal 'Secre$t' when TOKEN_HASH_SECRET is not configured, exposing the user and workspace IDs encoded in the 'meta' field of every JWT token issued by an unconfigured deployment. An authenticated user or network-positioned attacker who obtains any valid JWT can decrypt this metadata using the default key - now disclosed in the GHSA advisory and source code - and re-encrypt manipulated identifiers to probe downstream access controls. JWT signature validation is handled independently, so this does not constitute standalone token forgery, but identifier disclosure and metadata manipulation create a realistic stepping stone toward privilege escalation or unauthorized workspace access in multi-tenant deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patch Flowise 3.1.0 is available.
SQL injection in Flowise through 2.2.7 allows authenticated users to execute arbitrary SQL via the importChatflows API by supplying a crafted JSON file whose chatflow.id value is concatenated unsanitized into an IN clause. Successful exploitation enables blind and error-based extraction of stored credentials and tampering with application data. Publicly available exploit code exists in the GHSA advisory, though no active exploitation is confirmed.
Server-side request forgery in Flowise's Execute Flow node allows authenticated low-privilege users to coerce the server into issuing HTTP requests to arbitrary internal network addresses by supplying intranet URLs through the base URL configuration field. All flowise and flowise-components npm versions through 3.0.13 are affected due to the Execute Flow code path never invoking the secureFetch wrapper present in httpSecurity.ts. Publicly available exploit code exists in GHSA-9hrv-gvrv-6gf2, including a concrete POST request demonstrating server-side retrieval and echo of internal service responses; no CISA KEV listing indicates active mass exploitation at time of analysis.
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update permissions) to abuse the Custom MCP Server feature and run arbitrary OS commands on the host. The validateCommandFlags blocklist and validateArgsForLocalFileAccess regex are incomplete - for example 'docker build' is permitted and 'npx --yes' is permitted while only '-y' is blocked - letting attackers point Flowise at a hostile Dockerfile or local script to achieve full host compromise. Publicly available exploit code exists (the GHSA advisory ships a reproduction), though there is no public exploit identified at time of analysis in CISA KEV.
Account takeover in Flowise versions 3.0.7 and earlier allows an authenticated user to change their account email address via the profile endpoint without re-authenticating or confirming the change to the original email. Because email serves as both login identifier and password-recovery channel, an attacker who has hijacked a session (e.g., via XSS, stolen token, or unattended workstation) can pivot to permanent account ownership. Publicly available exploit code exists in the GitHub Security Advisory with reproduction steps, but no public exploit identified as actively used in the wild.
Cross-workspace chatflow configuration disclosure in Flowise before 3.1.2 allows any holder of a valid API key for one workspace to read the full configuration of unprotected chatflows belonging to all other workspaces in the same instance. The `/api/v1/chatflows/apikey/:apikey` endpoint's database query omits a workspace scope filter when the `keyonly` parameter is absent (the default), causing it to return every chatflow system-wide where `apikeyid` is NULL or empty - including `flowData`, system prompts, `chatbotConfig`, `apiConfig`, and credential IDs from unrelated tenants. No public exploit code or CISA KEV listing has been identified at time of analysis, but the vulnerability is trivially reproducible given the disclosed source code and standard HTTP tooling.
Path traversal in FlowiseAI Flowise's S3 Document Loader component (packages/components/nodes/documentloaders/S3/S3.ts) enables authenticated remote attackers to manipulate S3 object key inputs to access files outside the intended storage scope. Versions 3.1.0 through 3.1.2 are confirmed affected. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), and the vendor did not respond to responsible disclosure, leaving no vendor-confirmed patch at time of analysis.
Mass assignment in Flowise's PUT /api/v1/user endpoint (all versions before 3.1.2) allows an authenticated user to overwrite their own account's password hash by supplying a crafted `credential` field in the request body, entirely bypassing the intended old-password verification, hashing enforcement, and session-invalidation workflow. An attacker who first obtains a temporary session - via XSS, token theft, or session hijacking - can exploit this to establish permanent account persistence even after the legitimate session expires, with no knowledge of the current password required. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 3.1.2.
Unauthenticated PII exposure in Flowise's forgot-password API endpoint allows remote attackers to harvest user objects containing IDs, full names, email addresses, account status, and timestamps by submitting any known or guessed email address. All Flowise releases prior to 3.0.13 are affected via the POST /api/v1/account/forgot-password endpoint, which returns a sanitized but data-rich user object instead of a generic acknowledgment. No public exploit has been identified at time of analysis per CISA KEV, though the GHSA advisory (GHSA-jc5m-wrp2-qq38) includes a working curl-based proof-of-concept demonstrating the full response.
Cross-site scripting in Flowise before 3.0.8 allows unauthenticated network attackers to inject malicious JavaScript into the chat interface via iframe javascript: URI payloads, or indirectly via custom agent functions that fetch and render unsanitized external HTTP responses. When a victim browses the affected chat or agent output in their browser, the injected script executes in their session, enabling cookie theft and session hijacking. A working proof-of-concept payload is publicly documented in GitHub Security Advisory GHSA-4fr9-3x69-36wv; no active exploitation is confirmed in CISA KEV at time of analysis.
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Information disclosure in FlowiseAI Flowise prior to version 3.1.2 allows authenticated users to retrieve encrypted credential blobs (API keys, passwords, OAuth tokens for OpenAI, AWS, etc.) by querying the credentials API with a credentialName filter. The /api/v1/credentials endpoint correctly strips the encryptedData field on unfiltered queries but omits this sanitization on the filtered code path, exposing AES-encrypted secrets to any authenticated caller. No public exploit identified at time of analysis, though a working curl reproduction is published in the GHSA advisory.
Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.
Cross-workspace tenant isolation bypass in FlowiseAI versions prior to 3.1.2 allows authenticated low-privileged users to reassign assistant resources to arbitrary workspaces by manipulating server-controlled fields in the assistant update endpoint. The flaw is a mass assignment issue (CWE-284) tracked as EUVD-2026-35109, with publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as widely deployed exploitation. SSVC indicates total technical impact but non-automatable exploitation.
Credential brute-force exposure in Flowise prior to 3.1.2 allows remote unauthenticated attackers to perform unlimited password-guessing attacks against the checkBasicAuth endpoint, which lacks rate limiting and uses non-constant-time plaintext comparison against the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables. Successful exploitation grants full access to the Flowise LLM workflow builder. No public exploit identified at time of analysis, though the GHSA advisory documents the vulnerable code path in detail and EPSS sits at a low 0.04%.
Flowise versions prior to 3.1.0 allow authenticated remote attackers to bypass SSRF protections by exploiting direct HTTP client imports in four tool implementations (OpenAPIToolkit, WebScraperTool, MCP, and Arxiv) that circumvent the centralized httpSecurity.ts validation wrapper. An attacker with tool access can craft requests to reach blocked internal endpoints such as AWS metadata services, restoring full SSRF capability despite administrative deny-list configuration.
FlowiseAI Flowise up to version 3.0.12 allows remote unauthenticated information disclosure through manipulation of the account verification endpoint. An attacker can exploit improper input validation in the verify function of the account service to extract sensitive information over the network. Publicly available exploit code exists, and the vendor has recommended upgrading to address this issue.
Authorization bypass in FlowiseAI Flowise up to version 3.0.12 allows authenticated users to manipulate userId, organizationId, workspaceId, and email parameters in the User Controller Handler, potentially gaining unauthorized access to other users' data or organizational resources. The vulnerability requires valid user authentication and remote network access, resulting in confidentiality impact with low attack complexity. No active exploitation in CISA KEV has been confirmed at time of analysis.
Information disclosure in FlowiseAI Flowise up to version 3.0.12 allows remote attackers to extract sensitive data through the Login function in the API Response Handler component. The vulnerability requires high attack complexity and is difficult to exploit, but successful exploitation results in confidentiality impact without authentication requirements. No public confirmation of active exploitation has been identified at time of analysis.
Cypher injection in Flowise GraphCypherQAChain node allows remote unauthenticated attackers to execute arbitrary database commands against connected Neo4j instances. Attackers can exfiltrate, modify, or delete data in the graph database by injecting malicious Cypher queries through user-controlled input fields that bypass sanitization (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The vulnerability affects both Flowise core and flowise-components packages prior to version 3.1.0. CVSS 9.3 critical severity reflects network-accessible attack vector requiring no authentication or user interaction. EPSS data unavailable; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though GitHub security advisory confirms vendor awareness and patch availability.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the "/api/v1/account/reset-password" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.
Flowise versions prior to 3.0.13 allow unauthenticated users to trigger Server-Side Request Forgery (SSRF) attacks through improperly validated URLs in the HTTP Node component, enabling attackers to probe internal networks and cloud metadata endpoints from the Flowise server. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. Any organization running a publicly exposed Flowise instance is at immediate risk of internal network reconnaissance and potential credential theft from cloud environments.
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when 'ALLOW_BUILTIN_DEP' is enabled) lets a logged-in user break out of the nodevm sandbox by abusing the bundled Puppeteer and Playwright modules. Because a custom tool can specify an attacker-controlled browser binary path and launch parameters, executing that tool runs an arbitrary executable on the host outside the intended sandbox, yielding code execution in the host context. Publicly available exploit code exists; the flaw is not listed in CISA KEV, and it was mis-filed by the vendor as a duplicate of CVE-2025-26319 but is distinct.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS commands. The combination of no default authentication and the ability to spawn local processes via tools like npx enables unauthenticated remote code execution on any Flowise installation.
Flowise <= 2.2.3 is vulnerable to SQL Injection. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Unauthenticated attackers can upload malicious files including executable scripts, achieving remote code execution on the Flowise server.
Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.
Authentication bypass in Flowise 3.0.13 and earlier lets unauthenticated remote attackers forge valid signed session cookies and impersonate any user, including administrators. The flaw stems from a publicly known hardcoded default secret ('flowise') used by the express-session middleware whenever the EXPRESS_SESSION_SECRET environment variable is left unset - the default deployment state. No public exploit identified at time of analysis, but forgery is trivial since the signing key is visible in the source code, and CVSS 4.0 rates it 9.3 (Critical).
Cross-origin request forgery via a hardcoded CORS wildcard in Flowise's text-to-speech endpoint (versions before 3.1.2) allows any malicious webpage to trigger TTS generation using a victim's stored credentials. The controller file `packages/server/src/controllers/text-to-speech/index.ts` unconditionally sets `Access-Control-Allow-Origin: *`, directly overriding the server's restrictive `getCorsOptions()` CORS policy for that route. No public exploit is identified at time of analysis, but the attack requires only basic web scripting skill given the straightforward CORS bypass mechanism.
Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.
Arbitrary file write leading to remote code execution in FlowiseAI Flowise (versions <= 2.2.7) lets unauthenticated remote attackers overwrite any file on the host via the /api/v1/document-store/loader/process endpoint. The fileName parameter is passed unsanitized into path.join() inside storageUtils.ts, so ../ sequences escape the storage directory; overwriting package.json injects a malicious start script that executes on the next application restart. Publicly available exploit code exists (vendor GHSA PoC overwriting package.json), and the issue carries a CVSS 4.0 base score of 10.0; no public active-exploitation listing was identified at time of analysis.
Remote code execution in Flowise (versions 2.2.7-patch.1 through pre-3.0.6) lets attackers run arbitrary OS commands by abusing the Custom MCP feature, which is intended to spawn local MCP servers via tools like npx. Because the default installation runs with no authentication (unless FLOWISE_USERNAME/FLOWISE_PASSWORD are set) and lacks role-based access control, an attacker can POST a crafted JSON payload bearing the 'x-request-from: internal' header to /api/v1/node-load-method/customMCP and fully compromise the host container. Publicly available exploit code exists in the GHSA advisory, including a reverse-shell payload via nc.
Persistent session hijacking in Flowise 3.0.7 and earlier (fixed in 3.0.10) lets an attacker retain authenticated access to a victim's account even after the victim changes their password, because the application never invalidates pre-existing sessions or session tokens on credential rotation (CWE-613). Anyone holding a stolen token or a device left logged in keeps full access, defeating the primary remediation users rely on after a suspected compromise. A working proof-of-concept is published in the vendor's GHSA advisory; publicly available exploit code exists, but there is no public exploit identified as actively exploited in the wild and it is not on the CISA KEV list.
Arbitrary file read and write in FlowiseAI Flowise (versions 2.2.8 through 3.0.5) lets remote unauthenticated attackers traverse the filesystem because the chatflowId and chatId parameters are never validated as UUIDs or numbers. By supplying a path-traversal value such as '../../../../../tmp' as the chatflow id, an attacker can write controlled files via the /api/v1/chatflows endpoint and read arbitrary files via /api/v1/get-upload-file and /api/v1/openai-assistants-file/download - and the file-write primitive can be escalated to remote code execution. A proof-of-concept is published in the GHSA advisory, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.
Unauthenticated arbitrary file upload in Flowise (versions through 2.2.7) lets remote attackers write malicious files to arbitrary locations on the server via the whitelisted /api/v1/attachments endpoint when storageType is set to local (the default). Because the chatId and chatflowId parameters are vulnerable to path traversal, an attacker can escape the intended upload directory and drop a webshell or other executable payload, leading to remote code execution and full server compromise. No public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 4.0 9.3) and was reported by VulnCheck with a vendor security advisory.
Account takeover in Flowise (the open-source low-code LLM application builder) before version 3.0.10 stems from the account settings Security section accepting a password change without requiring the current password or any re-verification. Any authenticated user - or an attacker who hijacks or coerces an existing authenticated session - can silently reset the account credential and seize full control of the account. Publicly available exploit code exists (documented PoC with repro steps and screenshot in the GitHub Security Advisory GHSA-fjh6-8679-9pch), but there is no public exploit identified as actively exploited and it is not listed in CISA KEV.
Authentication bypass in Flowise on-premise (npm package 'flowise', version 3.0.1 and earlier) lets unauthenticated remote attackers POST to the /api/v1/account/register endpoint to self-provision arbitrary user accounts and then log in, obtaining full API access without any prior credentials. The endpoint is open by default and the registration request is reusable, so an attacker can repeatedly create privileged ('type':'pro') accounts. A working proof-of-concept exists (publicly available exploit code exists via the VulnCheck/GHSA advisory), and the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact.
Unauthenticated arbitrary file read in Flowise before 3.0.6 lets remote attackers traverse outside the storage directory via the unvalidated chatId parameter on the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints, reading sensitive files such as /root/.flowise/database.sqlite and dumping the entire application database in default deployments. The flaw was reported by VulnCheck with a vendor security advisory (GHSA-99pg-hqvx-r4gf), and while no public exploit was identified at time of analysis, the root cause and code path are fully documented in the advisory, lowering the barrier to weaponization. CVSS 4.0 base score is 8.7 (High), reflecting network-reachable, no-authentication, no-interaction exploitation with high confidentiality impact.
Flowise versions up to and including 3.0.12 hash passwords using bcrypt with a default cost factor of 5 rounds - yielding only 32 iterations versus the OWASP-recommended minimum of 1,024 at 10 rounds - making stored password hashes approximately 30 times faster to crack with modern GPU hardware. All deployments where the PASSWORD_SALT_HASH_ROUNDS environment variable has not been manually overridden to 10 or higher are affected, which represents the majority of real-world installs since defaults predominate. In a database breach scenario, an attacker who obtains the hash table can leverage GPU-accelerated tools to recover plaintext passwords at roughly 300,000 attempts per second versus ~10,000 at the recommended work factor; no public exploit identified at time of analysis.
Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.
Flowise versions 3.0.13 and earlier silently fall back to a hardcoded AES-256-CBC encryption key derived from the publicly known literal 'Secre$t' when TOKEN_HASH_SECRET is not configured, exposing the user and workspace IDs encoded in the 'meta' field of every JWT token issued by an unconfigured deployment. An authenticated user or network-positioned attacker who obtains any valid JWT can decrypt this metadata using the default key - now disclosed in the GHSA advisory and source code - and re-encrypt manipulated identifiers to probe downstream access controls. JWT signature validation is handled independently, so this does not constitute standalone token forgery, but identifier disclosure and metadata manipulation create a realistic stepping stone toward privilege escalation or unauthorized workspace access in multi-tenant deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patch Flowise 3.1.0 is available.
SQL injection in Flowise through 2.2.7 allows authenticated users to execute arbitrary SQL via the importChatflows API by supplying a crafted JSON file whose chatflow.id value is concatenated unsanitized into an IN clause. Successful exploitation enables blind and error-based extraction of stored credentials and tampering with application data. Publicly available exploit code exists in the GHSA advisory, though no active exploitation is confirmed.
Server-side request forgery in Flowise's Execute Flow node allows authenticated low-privilege users to coerce the server into issuing HTTP requests to arbitrary internal network addresses by supplying intranet URLs through the base URL configuration field. All flowise and flowise-components npm versions through 3.0.13 are affected due to the Execute Flow code path never invoking the secureFetch wrapper present in httpSecurity.ts. Publicly available exploit code exists in GHSA-9hrv-gvrv-6gf2, including a concrete POST request demonstrating server-side retrieval and echo of internal service responses; no CISA KEV listing indicates active mass exploitation at time of analysis.
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update permissions) to abuse the Custom MCP Server feature and run arbitrary OS commands on the host. The validateCommandFlags blocklist and validateArgsForLocalFileAccess regex are incomplete - for example 'docker build' is permitted and 'npx --yes' is permitted while only '-y' is blocked - letting attackers point Flowise at a hostile Dockerfile or local script to achieve full host compromise. Publicly available exploit code exists (the GHSA advisory ships a reproduction), though there is no public exploit identified at time of analysis in CISA KEV.
Account takeover in Flowise versions 3.0.7 and earlier allows an authenticated user to change their account email address via the profile endpoint without re-authenticating or confirming the change to the original email. Because email serves as both login identifier and password-recovery channel, an attacker who has hijacked a session (e.g., via XSS, stolen token, or unattended workstation) can pivot to permanent account ownership. Publicly available exploit code exists in the GitHub Security Advisory with reproduction steps, but no public exploit identified as actively used in the wild.
Cross-workspace chatflow configuration disclosure in Flowise before 3.1.2 allows any holder of a valid API key for one workspace to read the full configuration of unprotected chatflows belonging to all other workspaces in the same instance. The `/api/v1/chatflows/apikey/:apikey` endpoint's database query omits a workspace scope filter when the `keyonly` parameter is absent (the default), causing it to return every chatflow system-wide where `apikeyid` is NULL or empty - including `flowData`, system prompts, `chatbotConfig`, `apiConfig`, and credential IDs from unrelated tenants. No public exploit code or CISA KEV listing has been identified at time of analysis, but the vulnerability is trivially reproducible given the disclosed source code and standard HTTP tooling.
Path traversal in FlowiseAI Flowise's S3 Document Loader component (packages/components/nodes/documentloaders/S3/S3.ts) enables authenticated remote attackers to manipulate S3 object key inputs to access files outside the intended storage scope. Versions 3.1.0 through 3.1.2 are confirmed affected. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), and the vendor did not respond to responsible disclosure, leaving no vendor-confirmed patch at time of analysis.
Mass assignment in Flowise's PUT /api/v1/user endpoint (all versions before 3.1.2) allows an authenticated user to overwrite their own account's password hash by supplying a crafted `credential` field in the request body, entirely bypassing the intended old-password verification, hashing enforcement, and session-invalidation workflow. An attacker who first obtains a temporary session - via XSS, token theft, or session hijacking - can exploit this to establish permanent account persistence even after the legitimate session expires, with no knowledge of the current password required. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 3.1.2.
Unauthenticated PII exposure in Flowise's forgot-password API endpoint allows remote attackers to harvest user objects containing IDs, full names, email addresses, account status, and timestamps by submitting any known or guessed email address. All Flowise releases prior to 3.0.13 are affected via the POST /api/v1/account/forgot-password endpoint, which returns a sanitized but data-rich user object instead of a generic acknowledgment. No public exploit has been identified at time of analysis per CISA KEV, though the GHSA advisory (GHSA-jc5m-wrp2-qq38) includes a working curl-based proof-of-concept demonstrating the full response.
Cross-site scripting in Flowise before 3.0.8 allows unauthenticated network attackers to inject malicious JavaScript into the chat interface via iframe javascript: URI payloads, or indirectly via custom agent functions that fetch and render unsanitized external HTTP responses. When a victim browses the affected chat or agent output in their browser, the injected script executes in their session, enabling cookie theft and session hijacking. A working proof-of-concept payload is publicly documented in GitHub Security Advisory GHSA-4fr9-3x69-36wv; no active exploitation is confirmed in CISA KEV at time of analysis.
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Information disclosure in FlowiseAI Flowise prior to version 3.1.2 allows authenticated users to retrieve encrypted credential blobs (API keys, passwords, OAuth tokens for OpenAI, AWS, etc.) by querying the credentials API with a credentialName filter. The /api/v1/credentials endpoint correctly strips the encryptedData field on unfiltered queries but omits this sanitization on the filtered code path, exposing AES-encrypted secrets to any authenticated caller. No public exploit identified at time of analysis, though a working curl reproduction is published in the GHSA advisory.
Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.
Cross-workspace tenant isolation bypass in FlowiseAI versions prior to 3.1.2 allows authenticated low-privileged users to reassign assistant resources to arbitrary workspaces by manipulating server-controlled fields in the assistant update endpoint. The flaw is a mass assignment issue (CWE-284) tracked as EUVD-2026-35109, with publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as widely deployed exploitation. SSVC indicates total technical impact but non-automatable exploitation.
Credential brute-force exposure in Flowise prior to 3.1.2 allows remote unauthenticated attackers to perform unlimited password-guessing attacks against the checkBasicAuth endpoint, which lacks rate limiting and uses non-constant-time plaintext comparison against the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables. Successful exploitation grants full access to the Flowise LLM workflow builder. No public exploit identified at time of analysis, though the GHSA advisory documents the vulnerable code path in detail and EPSS sits at a low 0.04%.
Flowise versions prior to 3.1.0 allow authenticated remote attackers to bypass SSRF protections by exploiting direct HTTP client imports in four tool implementations (OpenAPIToolkit, WebScraperTool, MCP, and Arxiv) that circumvent the centralized httpSecurity.ts validation wrapper. An attacker with tool access can craft requests to reach blocked internal endpoints such as AWS metadata services, restoring full SSRF capability despite administrative deny-list configuration.
FlowiseAI Flowise up to version 3.0.12 allows remote unauthenticated information disclosure through manipulation of the account verification endpoint. An attacker can exploit improper input validation in the verify function of the account service to extract sensitive information over the network. Publicly available exploit code exists, and the vendor has recommended upgrading to address this issue.
Authorization bypass in FlowiseAI Flowise up to version 3.0.12 allows authenticated users to manipulate userId, organizationId, workspaceId, and email parameters in the User Controller Handler, potentially gaining unauthorized access to other users' data or organizational resources. The vulnerability requires valid user authentication and remote network access, resulting in confidentiality impact with low attack complexity. No active exploitation in CISA KEV has been confirmed at time of analysis.
Information disclosure in FlowiseAI Flowise up to version 3.0.12 allows remote attackers to extract sensitive data through the Login function in the API Response Handler component. The vulnerability requires high attack complexity and is difficult to exploit, but successful exploitation results in confidentiality impact without authentication requirements. No public confirmation of active exploitation has been identified at time of analysis.
Cypher injection in Flowise GraphCypherQAChain node allows remote unauthenticated attackers to execute arbitrary database commands against connected Neo4j instances. Attackers can exfiltrate, modify, or delete data in the graph database by injecting malicious Cypher queries through user-controlled input fields that bypass sanitization (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The vulnerability affects both Flowise core and flowise-components packages prior to version 3.1.0. CVSS 9.3 critical severity reflects network-accessible attack vector requiring no authentication or user interaction. EPSS data unavailable; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though GitHub security advisory confirms vendor awareness and patch availability.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the "/api/v1/account/reset-password" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.
Flowise versions prior to 3.0.13 allow unauthenticated users to trigger Server-Side Request Forgery (SSRF) attacks through improperly validated URLs in the HTTP Node component, enabling attackers to probe internal networks and cloud metadata endpoints from the Flowise server. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. Any organization running a publicly exposed Flowise instance is at immediate risk of internal network reconnaissance and potential credential theft from cloud environments.
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when 'ALLOW_BUILTIN_DEP' is enabled) lets a logged-in user break out of the nodevm sandbox by abusing the bundled Puppeteer and Playwright modules. Because a custom tool can specify an attacker-controlled browser binary path and launch parameters, executing that tool runs an arbitrary executable on the host outside the intended sandbox, yielding code execution in the host context. Publicly available exploit code exists; the flaw is not listed in CISA KEV, and it was mis-filed by the vendor as a duplicate of CVE-2025-26319 but is distinct.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS commands. The combination of no default authentication and the ability to spawn local processes via tools like npx enables unauthenticated remote code execution on any Flowise installation.
Flowise <= 2.2.3 is vulnerable to SQL Injection. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Unauthenticated attackers can upload malicious files including executable scripts, achieving remote code execution on the Flowise server.
Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Flowise is a drag & drop user interface to build a customized large language model flow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.