Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.
Published: 2026-03-07
Score: 7.7 High
EPSS: 12.2% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authentication check on the NVIDIA NIM router endpoints in Flowise. Because the /api/v1/nvidia-nim/* route is whitelisted in the global authentication middleware, any user can access privileged endpoints that create or manage containers and generate tokens. An attacker could therefore initiate or control container operations without authorization, potentially gaining unauthorized administrative privileges and discovering sensitive tokens. This flaw is classified as CWE‑306, unauthorized access to privileged resources.

Affected Systems

Flowise users operating versions prior to 3.0.13 are impacted. The vulnerability is present in all builds of Flowise up to but not including the 3.0.13 release. Producers of the Flowise open‑source project are listed as FlowiseAI:Flowise.

Risk and Exploitability

CVSS score of 7.7 indicates a high severity. The EPSS score (12 %) suggests a moderately low likelihood of exploitation in the wild at present, and the vulnerability is not currently reported in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, the lack of authentication allows attackers to reach container management functions over an unprotected HTTP API, which could be a gateway to further privilege escalation if the host and underlying infrastructure are not secured. The primary attack vector is via unauthenticated HTTP requests to the /api/v1/nvidia-nim/* endpoint, and no additional preconditions are required beyond accessibility to the Flowise instance.

Generated by OpenCVE AI on May 2, 2026 at 00:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Flowise version 3.0.13 or later which patches the missing authentication.
  • If upgrading is not immediately possible, block or remove access to /api/v1/nvidia-nim/* endpoints at the network layer.
  • Disable the container management and token generation features in the Flowise configuration, or restrict those endpoints to authenticated users only.

Generated by OpenCVE AI on May 2, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5f53-522j-j454 Flowise Missing Authentication on NVIDIA NIM Endpoints
History

Wed, 11 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Sat, 07 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.
Title Flowise: Missing Authentication on NVIDIA NIM Endpoints
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:44:24.459Z

Reserved: 2026-03-05T21:06:44.605Z

Link: CVE-2026-30824

cve-icon Vulnrichment

Updated: 2026-03-09T20:35:36.421Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:10.157

Modified: 2026-03-11T13:35:41.370

Link: CVE-2026-30824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses