GHSA-4jpm-cgx2-8h37: Flowise: Sensitive Data Leak in public-chatbotConfig

April 16, 2026

/api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-4jpm-cgx2-8h37
github.com/advisories/GHSA-4jpm-cgx2-8h37

Code Behaviors & Features

Detect and mitigate GHSA-4jpm-cgx2-8h37 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →