Incorrect Authorizationflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Incorrect Authorization through the getChatflowByApiKey handler in the chatflow API and the getChatflowByApiKey query in the chatflow service. An attacker can retrieve chatflows from other workspaces by supplying a valid API key and requesting chatflow data without being constrained to the key’s workspace. This exposes chatflow definitions and related metadata to unauthorized users, allowing them to read configuration and workflow details belonging to other workspaces.
Notes
- The disclosure is broader in deployments where chatflows are left unassigned to any API key: the vulnerable query includes both
apikeyid IS NULL and empty-string apikeyid records, so those “public” chatflows from other workspaces are returned alongside the caller’s own.
- The returned
ChatFlow entities expose more than names or IDs; the advisory’s impact is driven by fields such as flowData, chatbotConfig, apiConfig, and TTS/STT configuration being included in the response.
How to fix Incorrect Authorization? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the updateAssistant and createAssistant handlers in the assistant service. An attacker can reassign an assistant to a different workspace or overwrite server-managed fields by sending a crafted update or create request with properties such as workspaceId, id, or timestamp fields. This lets the attacker take control of assistant records outside their intended workspace, exposing, corrupting, or detaching assistant data from the user’s organization.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Permissive Cross-domain Policy with Untrusted Domainsflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains through the generateTextToSpeech handler in the text-to-speech endpoint. An attacker can make a victim’s browser send authenticated requests from any webpage by calling the TTS generate API, causing the browser to accept the response under a wildcard CORS policy. This lets an untrusted site invoke the text-to-speech endpoint using the user’s credentials and read the resulting stream, exposing the generated audio and any data returned by the request to the attacker.
Notes
- The bypass is specific to the TTS generate route because it carries
chatflowId in the request body rather than the URL path, so origin checks that only inspect path-based chatflow routes do not cover this endpoint.
- The hardcoded wildcard applies even when the server’s configured CORS allowlist is restrictive, so deployments relying on
getCorsOptions() for origin control are still exposed on this route.
How to fix Permissive Cross-domain Policy with Untrusted Domains? Upgrade flowise to version 3.1.2 or higher.
| |
Access Control Bypassflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Access Control Bypass via the via POST /api/v1/account/login and POST /api/v1/account/invite endpoints. An attacker can gain access to arbitrary bcrypt password hash, tempToken, and tokenExpiry, including privileged accounts.
Note:
This issue is due to incomplete fix for CVE-2025-58434.
How to fix Access Control Bypass? There is no fixed version for flowise.
| |
Missing Authorizationflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Missing Authorization on the /api/v1/openai-assistants-vector-store API. Any user can manipulate, delete, or exfiltrate data by sending authenticated requests to the affected endpoints without proper permission checks.
How to fix Missing Authorization? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/v1/variables endpoint. A user can modify internal attributes such as workspaceId, createdDate, and updatedDate by including them in the request body, resulting in unauthorized reassignment of resources across workspaces and potential bypass of tenant isolation in multi-workspace environments.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over data across different workspaces by supplying JSON bodies that overwrite ownership fields such as workspaceId or id during create or update operations. This allows the attacker to move dataset rows between workspaces they do not belong to, exposing sensitive data to unintended parties and breaking workspace isolation. This is only exploitable if the attacker is an authenticated user with edit permissions for the target dataset row and can enumerate or guess valid workspace UUIDs.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/v1/tools endpoint when the server fails to validate and restrict client-supplied fields in the request body. An attacker can modify sensitive fields such as workspaceId, createdDate, and updatedDate by including them in the request, resulting in unauthorized reassignment of resources across workspaces and manipulation of metadata. This is only exploitable if the deployment is configured for multi-tenant or multi-workspace environments.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Insufficiently Protected Credentialsflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Insufficiently Protected Credentials with the credentialName filter parameter, over the credentials API endpoint. An attacker can access encryptedData, containing encrypted credential data such as API keys, passwords, and tokens, by making authenticated requests that include this filter. If the attacker also obtains the encryption key file, they can fully decrypt and steal sensitive credentials.
How to fix Insufficiently Protected Credentials? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes over the /api/v1/chatflows endpoint. A user can gain unauthorized access to and modify sensitive attributes, such as deployment status, visibility, workspace assignment, and metadata, by including additional fields in the request body, such as:
deployed
isPublic
workspaceId
createdDate
updatedDate
category
type
This enables cross-workspace resource reassignment and unauthorized changes to deployment and visibility settings.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Arbitrary Code Injectionflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Arbitrary Code Injection via the node-custom-function endpoint when user-supplied JavaScript is executed in a NodeVM sandbox without sufficient route-level authorization. A user can execute commands on the server by submitting malicious JavaScript code that escapes the sandbox and gains access to the host process object, which can run code as a child_process. This vulnerability only occurs when E2B_APIKEY is not set. It is not set by default.
How to fix Arbitrary Code Injection? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the PUT /api/v1/assistants/{assistantId} endpoint, when the server fails to validate and restrict modifications to server-controlled fields in the request body. An attacker can reassign resources across workspaces and alter internal metadata by submitting crafted JSON payloads containing unauthorized fields.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Brute Forceflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Brute Force due to the use of the checkBasicAuth() function for checking credentials. An attacker can enumerate valid credentials by sending repeated authentication attempts without restriction, exploiting the lack of rate limiting and plaintext credential comparison.
How to fix Brute Force? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through improper handling of the Object.assign process in the dataset service. An attacker can gain unauthorized access to datasets across different workspaces by supplying crafted values for sensitive fields such as workspaceId or id in API requests. This allows the attacker to move datasets between workspaces, exposing sensitive data to unauthorized users and causing loss of access for the original workspace. This is only exploitable if the attacker is an authenticated user with edit permissions for a dataset and can enumerate or guess valid workspace UUIDs.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over assistants across different workspaces by supplying crafted JSON bodies that overwrite the workspaceId field during assistant creation or update. This allows the attacker to move assistants between workspaces they do not belong to, exposing sensitive configuration and credentials to unauthorized users. This is only exploitable if the attacker is an authenticated user with permission to update or create assistants and can enumerate target workspace UUIDs.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over evaluation data across different workspaces by supplying crafted JSON bodies that overwrite ownership fields such as workspaceId or id during entity creation or update. This allows the attacker to move evaluations between workspaces, exposing sensitive data to unauthorized users and breaking workspace isolation. This is only exploitable if the attacker is an authenticated user with permission to update or create evaluations and can enumerate or guess valid workspace UUIDs.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over resources belonging to other workspaces by supplying crafted values for sensitive fields such as workspaceId or id in the request body. This is only exploitable if the attacker is an authenticated user with permission to update a custom template and can enumerate or guess valid workspace UUIDs.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over resources belonging to other workspaces by supplying crafted values for sensitive fields such as workspaceId or id in the request body. This is only exploitable if the attacker is an authenticated user with permission to update or create an evaluator entity.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade flowise to version 3.1.2 or higher.
| |
Incomplete List of Disallowed Inputsflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the server by bypassing command flag blacklists and local file access restrictions through crafted arguments to the MCP interface. This is only exploitable if the attacker has an account or API access with view and update permissions for chatflows, and the deployment environment has the required commands (such as docker or npx) available.
How to fix Incomplete List of Disallowed Inputs? Upgrade flowise to version 3.1.2 or higher.
| |
Cross-site Scripting (XSS)flowise is a Flowiseai Server
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via insufficient input filtering of input by web applications such as chat box and agent workflow processes. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious scripts, potentially leading to theft of sensitive information such as cookies when a user interacts with crafted content.
How to fix Cross-site Scripting (XSS)? There is no fixed version for flowise.
| |
Cross-site Scripting (XSS)flowise is a Flowiseai Server
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the chat logs, due to improper input sanitization. An attacker can access sensitive information or impersonate an administrator by injecting malicious HTML or scripts into chat prompts, which are then rendered when an admin views the logs.
How to fix Cross-site Scripting (XSS)? There is no fixed version for flowise.
| |
Uncontrolled Resource Consumption ('Resource Exhaustion')flowise is a Flowiseai Server
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the /api/v1/get-upload-file API endpoint. An attacker can cause the application to crash by sending specially crafted input.
How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')? There is no fixed version for flowise.
| |
Cross-site Scripting (XSS)flowise is a Flowiseai Server
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /api/v1/public-chatflows/id endpoint, which returns a 404 page in the absence of a chatflow ID. An attacker can inject malicious scripts into the text/html page to read unintended files on the filesystem.
How to fix Cross-site Scripting (XSS)? There is no fixed version for flowise.
| |
Cross-site Scripting (XSS)flowise is a Flowiseai Server
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the /api/v1/chatflows-streaming/id, which returns a 404 page in the absence of a streaming ID. An attacker can inject malicious scripts into the text/html page to read unintended files on the filesystem.
How to fix Cross-site Scripting (XSS)? There is no fixed version for flowise.
| |
Cross-site Scripting (XSS)flowise is a Flowiseai Server
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /api/v1/credentials/id endpoint, which returns a 404 page in the absence of a credential ID. An attacker can inject malicious scripts into the text/html page to read unintended files on the filesystem.
How to fix Cross-site Scripting (XSS)? There is no fixed version for flowise.
| |
Cross-site Scripting (XSS)flowise is a Flowiseai Server
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the api/v1/chatflows/id endpoint, which returns a 404 page in the absence of a chatflow ID. An attacker can inject malicious scripts into the text/html page to read unintended files on the filesystem.
How to fix Cross-site Scripting (XSS)? There is no fixed version for flowise.
| |
Path Traversalflowise is a Flowiseai Server
Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of the filename parameter used by the /api/v1/openai-assistants-file endpoint. An attacker can pass in a path traversal string to read arbitrary files on the vulnerable file system.
How to fix Path Traversal? There is no fixed version for flowise.
| |
