CVE-2026-30820

High CVSS: 8.7

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.

Vendor

Flowiseai

Product

Flowise

CWE

CWE-863

Yayın Tarihi

2026-03-07 05:16:26

Güncelleme

2026-03-11 13:46:22

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-863 Flowise HIGH Flowiseai 2026

Referanslar

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq

Benzer Kayıtlar

High

CVE-2026-31829

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise expose…

High

CVE-2026-30823

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there…

High

CVE-2026-30824

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NV…

High

CVE-2026-30822

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauth…

High

CVE-2026-30821

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /a…

Medium

CVE-2025-57164

Flowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the "Supabase…