Lucene search
K

5 matches found

nvd
nvd
added 2026/06/22 10:16 p.m.14 views

CVE-2026-56268

Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly query parameter is omitted the default, the endpoint returns not only the chatflows bound to the supplied API key but also all chatflows across every workspace...

7.7CVSS0.00281EPSS
Exploits1References2
redhatcve
redhatcve
added 2026/06/05 7:20 p.m.12 views

CVE-2026-41278

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

8.7CVSS5.4AI score0.00421EPSS
Exploits1References1
osv
osv
added 2026/05/20 3:45 p.m.6 views

GHSA-C2C9-MFW7-P8HW Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

Summary The /api/v1/chatflows/apikey/:apikey endpoint whitelisted, accessible with API key auth only returns all chatflows bound to the provided API key AND all chatflows across the entire system that have no API key assigned. This crosses workspace boundaries, allowing a user in Workspace A who...

5.3CVSS5.8AI score0.00281EPSS
Exploits1References2
snyk
snyk
added 2026/05/20 3:45 p.m.28 views

Incorrect Authorization

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Incorrect Authorization through the getChatflowByApiKey handler in the chatflow API and the getChatflowByApiKey query in the chatflow service. An attacker can retrieve chatflows from other workspaces by...

7.1CVSS5.8AI score
Exploits0References2
ptsecurity
ptsecurity
added 2026/05/20 12:0 a.m.20 views

PT-2026-51405

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description An information disclosure issue exists in the '/api/v1/chatflows/apikey/:apikey' endpoint. When the keyonly query parameter is omitted, the system returns chatflows bound to the provided API key as...

7.7CVSS5.8AI score0.00281EPSS
Exploits1References8
Rows per page
Query Builder