flowise
npm72 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting flowisepage 2 of 2
- CVE-2026-42862MEDIUMCVSS 5.0EG 5.0✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to mo…
- CVE-2026-42863HIGHCVSS 8.1EG 8.1✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify ser…
- CVE-2026-43995CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-05-11
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. Th…
- CVE-2026-46440CRITICALCVSS 9.1EG 9.1✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue ha…
- CVE-2026-46441CRITICALCVSS 9.6EG 9.6✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users …
- CVE-2026-46442CRITICALCVSS 9.9EG 9.9✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitr…
- CVE-2026-46443MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response…
- CVE-2026-46444HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assi…
- CVE-2026-46475HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version …
- CVE-2026-46476HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in vers…
- CVE-2026-46477HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.…
- CVE-2026-46478HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.
- CVE-2026-46479HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in versio…
- CVE-2026-46480HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.22026-06-08
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version …
- CVE-2026-56267MEDIUMCVSS 6.9EG 6.9✓ Fixed in 3.0.132026-06-20
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addr…
- CVE-2026-56268HIGHCVSS 7.7EG 7.7✓ Fixed in 3.1.22026-05-20
Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly query parameter is omitted (the default), the endpoint returns not only the chatflows bound to the sup…
- CVE-2026-56272MEDIUMCVSS 4.1EG 4.1✓ Fixed in 3.0.132026-03-05
Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware…
- CVE-2026-56273MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.1.02026-07-08
Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store implementations that accept unsanitized basePath parameters from authenticated users. Attackers with valid API tokens can write vector store…
- CVE-2026-56276MEDIUMCVSS 6.0EG 6.0✓ Fixed in 3.1.22026-06-20
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification an…
- CVE-2026-56277MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.1.22026-07-01
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy…
- CVE-2026-56278CRITICALCVSS 9.1EG 9.1✓ Fixed in 3.1.02026-07-01
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise…
- CVE-2026-8026LOWCVSS 3.7EG 3.72026-05-06
A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in…
Check whether flowise is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for flowise CVEs against the assets you own.
Start Free Scan →