Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13.
Published: 2026-03-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via IDOR leading to SSO configuration manipulation and enterprise feature bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that allows an authenticated user to modify other users’ account settings. This can enable the attacker to take over an account and reconfigure Single Sign On settings to gain broader access, effectively bypassing enterprise‑grade restrictions. The impacted weakness corresponds to authorization bypass and credential mis‑management issues.

Affected Systems

The affected product is FlowiseAI’s Flowise. The vendor’s CNA data does not specify affected versions, but the description states that versions prior to 3.0.13 are impacted.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered High‑Severity. The EPSS score is below 1 %, indicating a very low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. The likely attack path requires attacker authentication and access to the application’s API or web interface; once authenticated, the IDOR can be leveraged to modify or retrieve data belonging to other accounts, potentially enabling full control over those accounts.

Generated by OpenCVE AI on April 18, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.0.13 or later.
  • Restrict SSO configuration changes to administrators only and review user roles.
  • Enable logging and monitor for unauthorized SSO configuration changes.

Generated by OpenCVE AI on April 18, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cwc3-p92j-g7qm Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
History

Wed, 11 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Sat, 07 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13.
Title Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
Weaknesses CWE-639
CWE-862
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:44:24.602Z

Reserved: 2026-03-05T21:06:44.605Z

Link: CVE-2026-30823

cve-icon Vulnrichment

Updated: 2026-03-09T20:35:38.393Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:10.007

Modified: 2026-03-11T13:36:25.867

Link: CVE-2026-30823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses