Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is used but fails to do so when a filter is used. This issue has been patched in version 3.1.2.
Published: 2026-06-08
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to request credentials with a credentialName filter parameter and receive the encryptedData field as part of the response. The encrypted credential data is therefore exposed to anyone able to perform that filtered query. This breach of confidentiality is a classic data‑exposure weakness classified as CWE‑200.

Affected Systems

Products affected are FlowiseAI’s Flowise application. All releases prior to version 3.1.2 are impacted; the problem was fixed in 3.1.2.

Risk and Exploitability

The CVSS score of 7 indicates a moderate to high severity. Because the exploit requires the ability to perform filtered credential queries, the attack vector is likely remote via the web or API interface. An attacker who has access to the Flowise deployment or can authenticate with sufficient privileges can retrieve sensitive encrypted credential information. The EPSS score is not available, and the vulnerability is not currently listed in CISA’s KEV catalog, but the potential for credential compromise warrants prompt attention.

Generated by OpenCVE AI on June 8, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or later to apply the vendor‑provided fix.
  • If an immediate upgrade is not possible, remove or neutralize the credentialName filter logic so that encryptedData is not returned in any response.
  • Implement strict access controls on the credential retrieval API, ensuring that only authorized administrative users can query credential data.

Generated by OpenCVE AI on June 8, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7g73-99r4-m4mj FlowiseAI Vulnerable to Credential Data Leak
History

Thu, 11 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is used but fails to do so when a filter is used. This issue has been patched in version 3.1.2.
Title Flowise: Credential Data Leak
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T15:30:52.686Z

Reserved: 2026-05-13T22:18:22.831Z

Link: CVE-2026-46443

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:41.493

Modified: 2026-06-11T04:08:36.827

Link: CVE-2026-46443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:45:26Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor