Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.
Published: 2026-04-23
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated disclosure of OAuth 2.0 access tokens
Action: Patch Update
AI Analysis

Impact

Flowise is vulnerable to an authentication bypass that allows an attacker without credentials to retrieve OAuth 2.0 access tokens from a public chatflow configuration. By accessing the exposed endpoint, an attacker can obtain internal token identifiers and use them to refresh and generate valid access tokens, potentially enabling unauthorized access to downstream services and sensitive data. The weakness is an instance of improper authorization, classified as CWE-306.

Affected Systems

The vulnerability affects all Flowise instances deployed by FlowiseAI prior to version 3.1.0, including all releases of the Flowise platform before that point.

Risk and Exploitability

With a CVSS score of 7.7, the flaw presents a moderate to high risk level. The EPSS score of less than 1% suggests that, historically, exploitation attempts are infrequent, and the vulnerability is not currently catalogued in the CISA KEV list. The likely attack vector is remote, unauthenticated, through the public chatflow configuration endpoint, as inferred from the description. Given the disclosed capability to obtain usable tokens, the potential impact on confidentiality and integrity is significant if an attacker can leverage the tokens to impersonate legitimate users.

Generated by OpenCVE AI on April 28, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Flowise 3.1.0 or newer, which removes the authentication bypass flaw.
  • Restrict or disable public access to chatflow configuration endpoints to eliminate the exposure point.
  • Revoke any OAuth credentials that may have been exposed through the configuration and rotate them to prevent misuse.

Generated by OpenCVE AI on April 28, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6f7g-v4pp-r667 Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
History

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Thu, 23 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.
Title Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:20:20.316Z

Reserved: 2026-04-18T14:01:46.801Z

Link: CVE-2026-41273

cve-icon Vulnrichment

Updated: 2026-04-24T14:33:32.205Z

cve-icon NVD

Status : Modified

Published: 2026-04-23T20:16:15.973

Modified: 2026-04-24T19:17:11.530

Link: CVE-2026-41273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses