2 matches found
CVE-2026-30820
Flowise, a UI for building LLM flows, is affected pre-3.0.13. The vulnerability arises because the server trusts any HTTP client that sends the header x-request-from: internal, allowing an authenticated tenant with only a session cookie to bypass /api/v1/** authorization checks and access interna...
Access Control Bypass
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Access Control Bypass in the middleware that processes requests to /api/v1 endpoints. An attacker can gain unauthorized access to internal administration APIs by spoofing the x-request-from header as...