GHSA-6f7g-v4pp-r667: Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise

April 16, 2026

Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow.

By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667
github.com/advisories/GHSA-6f7g-v4pp-r667

Code Behaviors & Features

Detect and mitigate GHSA-6f7g-v4pp-r667 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →