Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.
Published: 2026-06-08
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise's checkBasicAuth endpoint validates credentials in plaintext using direct comparison without cryptographic safeguards. The absence of rate limiting and the straightforward comparison logic enable an attacker to immediately retrieve or brute‑force authentication credentials. This exposes user accounts and any privileges tied to those accounts, allowing unauthorized access to Flowise’s web interface and underlying services.

Affected Systems

Vendors affected include FlowiseAI’s Flowise product. Any installation running a version prior to 3.1.2 is vulnerable. The issue was publicly identified in the release notes for versions before Flowise 3.1.2.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity vulnerability. The EPSS score is 0.00041, indicating a very low probability of exploitation, and Flowise is not listed in the CISA KEV catalog. The likely attack vector is a network‑accessible API endpoint that accepts Basic Authentication, which can be exploited from the Internet or internal networks if firewall rules are permissive. Given the lack of rate limiting, attackers can quickly enumerate or brute‑force credentials, increasing the potential for widespread credential compromise.

Generated by OpenCVE AI on June 11, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or later, which replaces the vulnerable checkBasicAuth logic.
  • Configure network controls or a reverse‑proxy to restrict access to the Basic Authentication API and implement rate limiting to mitigate credential brute‑forc­ing.
  • Enforce secure credential handling by storing hashed passwords and disabling plaintext credential validation, consistent with CWE‑522 remediation practices.

Generated by OpenCVE AI on June 11, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-php6-83fg-gw3g FlowiseAI Exposes Basic Auth Credentials via API
History

Thu, 11 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Mon, 08 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.
Title Flowise: Basic Auth Credentials Exposed via API
Weaknesses CWE-522
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T19:18:43.370Z

Reserved: 2026-05-13T22:18:22.831Z

Link: CVE-2026-46440

cve-icon Vulnrichment

Updated: 2026-06-08T19:17:11.325Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:41.043

Modified: 2026-06-11T04:06:33.593

Link: CVE-2026-46440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T06:00:10Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials