GHSA-6pcv-j4jx-m4vx: Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request

April 16, 2026

I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-6pcv-j4jx-m4vx
github.com/advisories/GHSA-6pcv-j4jx-m4vx

Code Behaviors & Features

Detect and mitigate GHSA-6pcv-j4jx-m4vx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →