CVE-2026-30823: Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration

March 6, 2026 (updated March 9, 2026)

The Flowise platform has a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint.

While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative rights over the target organizationId. This allows any low-privileged user (including “Free” plan users) to:

Overwrite the SSO configuration of any other organization.
Enable “Enterprise-only” features (SSO/SAML) without a license.
Perform Account Takeover by redirecting the authentication flow.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-30823 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →