Incorrect Authorization Affecting flowise package, versions <3.1.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-FLOWISE-16874176
- published25 May 2026
- disclosed20 May 2026
- creditoffset
Introduced: 20 May 2026
New CVE NOT AVAILABLE CWE-863 (opens in a new tab)How to fix?
Upgrade flowise to version 3.1.2 or higher.
Overview
flowise is a Flowiseai Server
Affected versions of this package are vulnerable to Incorrect Authorization through the getChatflowByApiKey handler in the chatflow API and the getChatflowByApiKey query in the chatflow service. An attacker can retrieve chatflows from other workspaces by supplying a valid API key and requesting chatflow data without being constrained to the key’s workspace. This exposes chatflow definitions and related metadata to unauthorized users, allowing them to read configuration and workflow details belonging to other workspaces.
Notes
- The disclosure is broader in deployments where chatflows are left unassigned to any API key: the vulnerable query includes both
apikeyid IS NULLand empty-stringapikeyidrecords, so those “public” chatflows from other workspaces are returned alongside the caller’s own. - The returned
ChatFlowentities expose more than names or IDs; the advisory’s impact is driven by fields such asflowData,chatbotConfig,apiConfig, and TTS/STT configuration being included in the response.