Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. Vulnerability Details Version tested: 3.0.13 Installer file: https://github.com/FlowiseAI/Flowise Platform tested: Ubuntu 25.10 Analysis This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing …
ZDI-CAN-29412: FlowiseAI Flowise Airtable_Agent Code Injection Remote Code Execution Vulnerability – ABSTRACT ————————————- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise – VULNERABILITY DETAILS ———————— Version tested: 3.0.13 Installer file: hxxps://github.com/FlowiseAI/Flowise Platform tested: Ubuntu 25.10
ZDI-CAN-29412: FlowiseAI Flowise Airtable_Agent Code Injection Remote Code Execution Vulnerability Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise – VULNERABILITY DETAILS ———————— Version tested: 3.0.13 Installer file: hxxps://github.com/FlowiseAI/Flowise Platform tested: Ubuntu 25.10
The text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech.
The text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech.
The GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields.
The GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields.
A Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an …
A Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an …
Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |—|—| | Location | packages/server/src/enterprise/utils/tempTokenUtils.ts:31-34 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai |
Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |—|—| | Severity | Critical | | Location | packages/server/src/enterprise/middleware/passport/index.ts:29-34 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai |
Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |—|—| | Location | packages/server/src/enterprise/middleware/passport/index.ts:55 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai |
Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication.
Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication.
I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.
A Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services)
A Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services)
Flowise introduced SSRF protections through a centralized HTTP security wrapper (httpSecurity.ts) that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axiosInstead of using the secured wrapper. Because enforcement is neither mandatory nor centralized, these tools bypass SSRF mitigation entirely, restoring full SSRF capability even after the patch. This issue is distinct from specification trust issues and represents incomplete mitigation …
Flowise introduced SSRF protections through a centralized HTTP security wrapper (httpSecurity.ts) that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axiosInstead of using the secured wrapper. Because enforcement is neither mandatory nor centralized, these tools bypass SSRF mitigation entirely, restoring full SSRF capability even after the patch. This issue is distinct from specification trust issues and represents incomplete mitigation …
The core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list.
The core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list.
/api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.
/api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.
ZDI-CAN-28762: Flowise AccountService resetPassword Authentication Bypass Vulnerability – ABSTRACT ————————————- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise – VULNERABILITY DETAILS ———————— Version tested: 3.0.12 Installer file: hxxps://github.com/FlowiseAI/Flowise Platform tested: NA
ZDI-CAN-28762: Flowise AccountService resetPassword Authentication Bypass Vulnerability – ABSTRACT ————————————- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise – VULNERABILITY DETAILS ———————— Version tested: 3.0.12 Installer file: hxxps://github.com/FlowiseAI/Flowise Platform tested: NA
“AirtableAgent” is an agent function provided by FlowiseAI that retrieves search results by accessing private datasets from airtable.com. “AirtableAgent” uses Python, along with Pyodide and Pandas, to get and return results. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. The point is that an attacker can bypass the intended behavior of the LLM …
“AirtableAgent” is an agent function provided by FlowiseAI that retrieves search results by accessing private datasets from airtable.com. “AirtableAgent” uses Python, along with Pyodide and Pandas, to get and return results. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. The point is that an attacker can bypass the intended behavior of the LLM …
The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a basePath parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.
Summary: The password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. Steps to Reproduce: Sign up for a new account on https://cloud.flowiseai.com/register. Navigate to the …
Summary: The password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. Steps to Reproduce: Sign up for a new account on https://cloud.flowiseai.com/register. Navigate to the …
Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance.
Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance.
An improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment.
An improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment.
In FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE).
In FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE).
The GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion.
The GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion.
The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide the following payload: DataFrame({'foo': ['bar!']});import os;os.system('whoami') that will get interpolated and executed by the server.
The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide the following payload: DataFrame({'foo': ['bar!']});import os;os.system('whoami') that will get interpolated and executed by the server.
Due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution.
A Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration.
A Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration.
The attacker provides an intranet address through the base url field configured in the Execute Flow node → Bypass checkDenyList / resolveAndValidate in httpSecurity.ts (not called) → Causes the server to initiate an HTTP request to any internal network address, read cloud metadata, or detect internal network services
Description: Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the …
The NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.
The Flowise platform has a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint. While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative rights over the target organizationId. This allows any low-privileged user (including "Free" plan users) to: Overwrite the SSO configuration of any other organization. Enable "Enterprise-only" features (SSO/SAML) without a license. …
Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privileges.
- Root Cause The vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., .js, .php) or malicious scripts (.html) by masquerading them as benign images or documents. 2. Key Attack Scenarios Server Compromise (RCE): An attacker uploads a Web Shell and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized …
A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields (id, createdDate, chatId) by including them in the request body. The endpoint uses Object.assign() to copy all properties from the request body to the Lead entity without any input validation or field filtering. This allows attackers to bypass auto-generated fields and inject arbitrary values. | Field | Value | |——-|——-| | Vulnerability Type …
The /api/v1/account/forgot-password endpoint returns the full user object including PII (id, name, email, status, timestamps) in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email address.
The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security.