Description
A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.
Published: 2026-05-06
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Login function of FlowiseAI Flowise’s account.service.ts, allowing an attacker to abuse the API response handler and inadvertently disclose authentication data. By manipulating the login request, sensitive information such as credentials can be leaked through the API’s response. The flaw is not an execution flaw but leads to accidental data exposure that could be leveraged for further attacks.

Affected Systems

The flaw affects FlowiseAI Flowise deployments up to version 3.0.12. Any installation of the Flowise platform using a version equal to or older than 3.0.12 is susceptible, regardless of environment, as the issue is embedded in the core Flowise API code.

Risk and Exploitability

The CVSS base score is 6.3, indicating a moderate severity, and the EPSS score is < 1%, indicating a low probability of active exploitation. The attack vector is remote, requiring high complexity and is considered difficult to exploit. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack path involves sending crafted requests to the login endpoint which triggers the API to reveal extraneous authentication details, a scenario inferred from the description.

Generated by OpenCVE AI on May 7, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.0.13 or later, which fixes the CWE-200 information exposure and CWE-284 improper access control flaws in the login handler.
  • Enforce strict access control (CWE-284) on the login and account endpoints by validating user roles and revoking unnecessary administrator privileges so that only authorized clients can trigger the API response.
  • Implement server‑side response sanitization (CWE-200) to remove or mask any authentication data exposed by the API before it is returned to clients.

Generated by OpenCVE AI on May 7, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8f47-4rh3-x44m Flowise: Bcrypt Password Hash Exposure
History

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-312

Wed, 06 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.
Title FlowiseAI Flowise API Response account.service.ts login information disclosure
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-200
CWE-284
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-06T13:03:55.441Z

Reserved: 2026-05-06T07:40:30.890Z

Link: CVE-2026-8026

cve-icon Vulnrichment

Updated: 2026-05-06T13:03:51.605Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T13:16:10.577

Modified: 2026-05-07T15:04:56.137

Link: CVE-2026-8026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T17:00:12Z

Weaknesses