Lucene search
K

11 matches found

RedhatCVE
RedhatCVE
added 2026/04/25 7:22 a.m.7 views

CVE-2026-41266

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

7.7CVSS5.4AI score0.00346EPSS
Exploits1References1
NVD
NVD
added 2026/04/23 8:16 p.m.10 views

CVE-2026-41266

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

7.7CVSS0.00346EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/23 7:52 p.m.12 views

EUVD-2026-25297

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

8.7CVSS5.8AI score0.00421EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/23 7:11 p.m.5 views

CVE-2026-41266

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

7.7CVSS5.8AI score0.00346EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/23 7:11 p.m.9 views

EUVD-2026-25283

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

7.7CVSS5.8AI score0.00346EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/23 7:11 p.m.36 views

CVE-2026-41266 Flowise: Sensitive Data Leak in public-chatbotConfig

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

7.7CVSS0.00346EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.10 views

Flowise 信息泄露漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, up to 3.1.0, contained a vulnerability related to information leakage. This vulnerability stemmed from the /api/v1/public-chatbotConfig/ endpoint, which exposed sensiti...

7.7CVSS5.7AI score0.00346EPSS
Exploits1References2
OSV
OSV
added 2026/04/17 9:34 p.m.5 views

GHSA-W47F-J8RH-WX87 Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs

Summary The GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image...

8.7CVSS5.8AI score0.00421EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/16 9:52 p.m.15 views

Missing Authentication for Critical Function

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the public-chatbotConfig and oauth2-credential/refresh endpoints. An attacker can obtain OAuth 2.0 access tokens for third-party services by retrieving...

10CVSS5.5AI score0.00308EPSS
Exploits1References2
OSV
OSV
added 2026/04/16 9:44 p.m.6 views

GHSA-4JPM-CGX2-8H37 Flowise: Sensitive Data Leak in public-chatbotConfig

Summary /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers,...

7.7CVSS5.8AI score0.00346EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/16 9:44 p.m.6 views

Missing Authorization

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authorization in the /api/v1/public-chatbotConfig/:id endpoint in chatbotConfig. An attacker can access sensitive credentials, including API keys and authorization headers, by sending unauthenticate...

8.6CVSS5.8AI score0.00346EPSS
Exploits1References3
Rows per page
Query Builder