May 21, 2026·4 min read·9 visits
Flowise <= 3.1.1 contains a flaw in API key authorization where a valid API key from any workspace can be used to read all unprotected chatflows from all other workspaces on the same instance. Administrators must upgrade to version 3.1.2 to resolve this data leakage.
An Incorrect Authorization vulnerability in Flowise versions up to 3.1.1 allows cross-workspace information disclosure. The `/api/v1/chatflows/apikey/:apikey` endpoint fails to scope database queries by workspace, exposing unprotected chatflow configurations, LLM prompts, and application metadata across the entire instance.
Flowise is an open-source low-code platform for building custom Large Language Model (LLM) applications. It supports multi-tenant environments through workspaces, utilizing API keys to segment access and execution rights. This architecture is designed to isolate chatflows and prevent cross-tenant data exposure.
GHSA-C2C9-MFW7-P8HW represents an Incorrect Authorization vulnerability (CWE-863) within this multi-tenant isolation mechanism. The flaw specifically affects the /api/v1/chatflows/apikey/:apikey endpoint, which client applications use to retrieve necessary configuration data for specific chat components.
In versions prior to 3.1.2, this endpoint fails to enforce strict workspace boundaries. An authenticated user belonging to one workspace can exploit this endpoint to disclose chatflow designs across the entire Flowise instance, provided those chatflows do not have explicit individual passwords configured.
The vulnerability stems from missing database query scoping. When a client application makes a request to the affected endpoint, it supplies an API key in the URL path. The Flowise backend receives this key and validates its format and active status.
However, the authorization check terminates prematurely. While the backend confirms the API key is active, it fails to extract the workspaceId associated with that specific key to use in the subsequent data retrieval phase. The resulting database query constructs a search for chatflows using only the "unprotected" status as the primary filter condition.
Because the workspaceId is omitted from the WHERE clause of the database query, the execution engine returns every unprotected chatflow present in the instance. The system then serializes this unrestricted result set and returns it to the client, effectively bypassing the intended multi-tenant authorization logic.
Exploitation of this vulnerability requires network access to the target Flowise instance and possession of at least one valid API key. This key can belong to a low-privileged workspace, making this an attack vector for lateral data discovery within shared development or production environments.
The attacker crafts an HTTP GET request directed at the vulnerable endpoint, substituting the :apikey parameter with their legitimate key. The request requires no complex payloads, special headers, or specific instance misconfigurations to execute successfully.
curl -X GET "https://flowise.example.com/api/v1/chatflows/apikey/sk-attacker-valid-key" \
-H "Accept: application/json"The resulting JSON response contains an array of chatflow objects. These objects include full structural details, node configurations, and prompt templates for applications belonging to entirely separate, unrelated workspaces.
The following sequence illustrates how the logic flaw causes data leakage across tenant boundaries.
The primary impact is unauthorized information disclosure affecting the confidentiality of AI agent designs. While the vulnerability is read-only and does not permit modification or deletion of resources, the leaked data often contains highly sensitive intellectual property.
Exposed chatflows reveal the precise system prompts, retrieval-augmented generation (RAG) configurations, and logic pathways designed by other users. This exposes proprietary prompt engineering techniques and internal business logic that application owners intend to keep confidential.
Furthermore, if developers have improperly embedded hardcoded secrets, API keys for external services (like OpenAI, Anthropic, or vector databases), or sensitive metadata directly into their unprotected chatflow nodes, these credentials will be exposed to the attacker, escalating the overall severity of the breach.
Administrators must upgrade all Flowise deployments to version 3.1.2 or later. The patch modifies the backend controller logic to explicitly extract the workspaceId linked to the provided API key and appends it as a mandatory filter parameter in the underlying database query.
If immediate patching is not technically feasible, administrators can temporarily mitigate the risk by configuring network-level access controls or Web Application Firewall (WAF) rules. Restricting access to the /api/v1/chatflows/apikey/ endpoint to trusted internal IP addresses prevents external lateral exploitation.
Additionally, ensuring that all individual chatflows are configured with explicit password protection will prevent them from being returned by the vulnerable query. The flaw specifically targets chatflows that rely solely on workspace boundaries for access control rather than explicit individual protection mechanisms.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Flowise FlowiseAI | <= 3.1.1 | 3.1.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-863 (Incorrect Authorization) |
| Attack Vector | Network / Remote |
| CVSS Score | 5.3 (Medium) |
| Privileges Required | Low (Valid API Key) |
| Impact | Cross-Workspace Information Disclosure |
| Exploit Status | Proof of Concept available |
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.
An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.