RAXE-2026-033 CRITICAL CVSS 9.8 v3.1 S2

Flowise LLM Orchestration Platform Six-Vulnerability Cluster: Missing Authentication, File Upload, Auth Bypass, IDOR, Mass Assignment, and SSRF

S2: Agent Security AML.T0010.001 2026-03-12 M. Hirani TLP:GREEN
CVE-2026-30820 CVE-2026-30821 CVE-2026-30822 CVE-2026-30823 CVE-2026-30824 CVE-2026-31829

1. Executive Summary

Six security vulnerabilities have been disclosed in Flowise, a drag-and-drop user interface for building customised large language model workflows, affecting the flowise npm package at versions 3.0.12 and earlier 123456789101112. The cluster spans two critical-severity vulnerabilities, missing authentication on NVIDIA NIM container management endpoints (CVE-2026-30824, NVD CVSS 9.8) and arbitrary file upload via MIME spoofing (CVE-2026-30821, NVD CVSS 9.8), alongside four CVSS High vulnerabilities: authorisation bypass via a spoofed internal header (CVE-2026-30820, NVD CVSS 8.8), IDOR leading to account takeover via SSO configuration (CVE-2026-30823, CNA CVSS 8.8), mass assignment in the leads endpoint (CVE-2026-30822, CNA CVSS 7.7), and server-side request forgery in the HTTP Node (CVE-2026-31829, NVD CVSS 8.8) 123456. The authentication requirements vary across the cluster: three vulnerabilities require no authentication (CVE-2026-30824, CVE-2026-30821, CVE-2026-30822), while three require low-privilege access (CVE-2026-30820, CVE-2026-30823, CVE-2026-31829) 123456. However, the GHSA advisory for CVE-2026-31829 notes that "Flowise instances are often deployed publicly without authentication (FLOWISE_USERNAME/FLOWISE_PASSWORD not set by default)" 12, which may broaden real-world exposure for CVE-2026-31829 and may reduce practical barriers to exploitation in some deployments, but CVE-2026-30820 and CVE-2026-30823 remain authenticated-user issues in the published advisories (RAXE assessment).

Three of the six vulnerabilities (CVE-2026-30824, CVE-2026-30821, CVE-2026-30822) derive directly from the Flowise authentication whitelist mechanism (WHITELIST_URLS in packages/server/src/utils/constants.ts), which exempts sensitive API endpoints from JWT validation without compensating per-endpoint authentication checks 7811. CVE-2026-30820 is a distinct middleware authorisation flaw where the x-request-from: internal header is trusted without validation 9. The remaining two, CVE-2026-30823 (IDOR via missing ownership validation on organizationId) 10 and CVE-2026-31829 (SSRF via missing URL validation in the HTTP Node) 12, have distinct root causes unrelated to the whitelist. Together, the cluster reflects repeated access-control and trust-boundary weaknesses across multiple subsystems (RAXE assessment). All six are fixed in version 3.0.13, which exists in the npm registry 71314. Organisations running Flowise should upgrade immediately; instances exposed to the public internet should be taken offline until patched (RAXE assessment).

2. Risk Rating

Dimension Rating Detail
Severity Critical Lead CVSS 9.8 (NVD Primary, CVE-2026-30824 and CVE-2026-30821); two critical and four CVSS High vulnerabilities 12
Urgency High Patches available in v3.0.13 713; public PoC exists for CVE-2026-30824 7; three of six require no authentication 125
Scope AI/ML Tooling Flowise is an LLM orchestration platform used to build AI chatflows and agent workflows 7
Confidence High Four of six CVEs fully Analysed by NVD with Primary scores; two have CNA-submitted scores with NVD status pending Primary assessment; all six have published GHSA advisories 123456789101112
Business Impact High Unauthenticated credential theft (NVIDIA API tokens), arbitrary file upload enabling potential RCE, cross-organisation account takeover, and SSRF enabling internal network access 789101112

3. Affected Products

Product Package Registry Affected Versions Fixed Version Verified
Flowise flowise npm <= 3.0.12 3.0.13 Yes, npm registry confirms v3.0.13 exists 14

Am I Affected?

  1. Check if you use Flowise: Search for flowise in your package.json files, Docker images, or deployment configurations
  2. Check your version: Run npx flowise --version or check node_modules/flowise/package.json for the version field. Versions 3.0.12 and earlier are affected 789101112
  3. Check network exposure: Determine whether your Flowise instance is accessible from the internet. Check whether FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables are set; Flowise does not require authentication by default 12
  4. Check NVIDIA NIM integration: If you use NVIDIA NIM with Flowise, the unauthenticated /api/v1/nvidia-nim/get-token endpoint may have already leaked API tokens 7

4. Abstract

This advisory covers a coordinated disclosure of six vulnerabilities in the Flowise LLM orchestration platform (npm package flowise, versions <= 3.0.12), published via GitHub Security Advisories between 5 to 10 March 2026 789101112. Three of the six vulnerabilities derive directly from Flowise's WHITELIST_URLS mechanism, which exempts sensitive API routes from JWT validation at the middleware level without compensating per-endpoint access control checks 7811. A fourth (CVE-2026-30820) is a distinct middleware authorisation bypass via a spoofable x-request-from: internal header 9. The remaining two (IDOR via missing ownership validation 10 and SSRF via missing URL validation 12) have distinct root causes. The cluster collectively reflects repeated access-control weaknesses across multiple subsystems (RAXE assessment). The cluster includes two critical-severity unauthenticated vulnerabilities (missing authentication on NVIDIA NIM endpoints and arbitrary file upload via MIME spoofing), one CVSS High authorisation bypass via a spoofed HTTP header, one CVSS High IDOR enabling cross-organisation account takeover, one CVSS High mass assignment allowing database field injection, and one CVSS High SSRF permitting internal network access 123456. All six are remediated in version 3.0.13 713.

5. Key Findings

  1. Repeated access-control and trust-boundary weaknesses: Three of six vulnerabilities derive directly from the WHITELIST_URLS array in packages/server/src/utils/constants.ts that exempts API routes from JWT validation, with no compensating per-endpoint authentication checks (CVE-2026-30824, CVE-2026-30821, CVE-2026-30822) 7811. CVE-2026-30820 is a distinct middleware authorisation bypass via a spoofable x-request-from: internal header 9. The remaining two have distinct root causes: CVE-2026-30823 involves missing ownership validation on organizationId 10, and CVE-2026-31829 involves missing URL validation in the HTTP Node 12. The cluster reflects a pattern where integration convenience overrides access control discipline across multiple subsystems (RAXE assessment).

  2. Two critical-severity unauthenticated vulnerabilities: CVE-2026-30824 (NVD CVSS 9.8) exposes NVIDIA API tokens and enables unauthenticated container manipulation 71. CVE-2026-30821 (NVD CVSS 9.8) enables arbitrary file upload via MIME type spoofing on the whitelisted attachment endpoint 82.

  3. Cross-organisation account takeover: CVE-2026-30823 (CNA CVSS 8.8) allows any authenticated user to overwrite another organisation's SSO configuration, redirecting authentication to attacker-controlled OAuth endpoints 104.

  4. Default-unauthenticated deployment pattern: The advisory for CVE-2026-31829 explicitly states that "Flowise instances are often deployed publicly without authentication (FLOWISE_USERNAME/FLOWISE_PASSWORD not set by default)" 12, which may broaden real-world exposure for CVE-2026-31829 and reduce practical barriers in some deployments, but CVE-2026-30820 and CVE-2026-30823 remain authenticated-user issues in the published advisories (RAXE assessment).

  5. CVSS score disagreements between NVD and CNA: Four of six CVEs show scoring differences between NVD Primary and CNA-submitted assessments, with deltas ranging from 0.1 to 2.1 points. Two CVEs (CVE-2026-30823 and CVE-2026-30822) have not yet received NVD Primary scores 123456. See the CVSS Divergence Note in Section 7.7.

  6. Public proof-of-concept available: The GHSA advisory for CVE-2026-30824 includes a working Python PoC script demonstrating token extraction and container manipulation 7.

6. Attack Flow

The following diagram describes behaviour confirmed by the published advisories 789101112. Speculative chaining between vulnerabilities is excluded.

                         UNAUTHENTICATED PATH
                         =====================

  Attacker (Internet)
       |
       |-- GET /api/v1/nvidia-nim/get-token
       |   (Whitelisted from JWT -- GHSA-5f53-522j-j454)
       |   +-> NVIDIA API token leaked (CVE-2026-30824)
       |   +-> POST /start-container -> arbitrary container launch
       |   +-> POST /stop-container -> denial of service
       |
       |-- POST /api/v1/attachments/:chatflowId/:chatId
       |   (Whitelisted from JWT -- GHSA-j8g8-j7fc-43v6)
       |   +-> MIME spoofing bypasses file type check
       |   +-> Malicious file persisted to storage (CVE-2026-30821)
       |   +-> Potential stored XSS, malicious file hosting,
       |       or RCE when chained with static hosting/file retrieval
       |
       |-- POST /api/v1/leads
       |   (Whitelisted from JWT -- GHSA-mq4r-h2gh-qv7x)
       |   +-> Object.assign() copies all body properties
       |   +-> Internal DB fields injected (id, createdDate) (CVE-2026-30822)


                      LOW-PRIVILEGE PATH
                      ==================

  Authenticated User (any tenant)
       |
       |-- Any /api/v1/** request + Header: x-request-from: internal
       |   (GHSA-wvhq-wp8g-c7vq)
       |   +-> Middleware treats request as internal client
       |   +-> Full admin access: API keys, credentials, functions (CVE-2026-30820)
       |
       |-- PUT /api/v1/loginmethod + victim organizationId in body
       |   (GHSA-cwc3-p92j-g7qm)
       |   +-> SSO config overwritten for victim org
       |   +-> Auth redirected to attacker OAuth (CVE-2026-30823)
       |
       |-- HTTP Node in AgentFlow/Chatflow
       |   (GHSA-fvcw-9w9r-pxc7)
       |   +-> User-controlled URL with no destination validation
       |   +-> SSRF to internal networks / cloud metadata (CVE-2026-31829)

7. Technical Details

7.1 CVE-2026-30824: Missing Authentication on NVIDIA NIM Endpoints (Unauthenticated)

CVSS: 9.8 Critical: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD Primary) 1 CWE: CWE-306: Missing Authentication for Critical Function 1 Advisory: GHSA-5f53-522j-j454 7 Reporter: tenbbughunters 7

The NVIDIA NIM router endpoint /api/v1/nvidia-nim/* is included in the WHITELIST_URLS array in packages/server/src/utils/constants.ts (line 20), which bypasses JWT and API-key validation 7. None of the controller actions behind this route implement their own authentication checks 7. The affected endpoints are 7:

Method Endpoint Risk
GET /api/v1/nvidia-nim/get-token NVIDIA API token leakage
GET /api/v1/nvidia-nim/preload Resource consumption
GET /api/v1/nvidia-nim/download-installer Resource consumption
GET /api/v1/nvidia-nim/list-running-containers Infrastructure enumeration
POST /api/v1/nvidia-nim/pull-image Arbitrary image pull
POST /api/v1/nvidia-nim/start-container Arbitrary container execution
POST /api/v1/nvidia-nim/stop-container Denial of service
POST /api/v1/nvidia-nim/get-image Information disclosure
POST /api/v1/nvidia-nim/get-container Information disclosure

Unauthenticated requests to /get-token return valid NVIDIA API credentials granting access to inference services 7. The advisory notes that the server returns a 500 error (not 401) when no tokens are configured, confirming the authentication bypass rather than proper rejection 7. On Docker/NIM-equipped systems, attackers can enumerate, terminate, or launch containers with arbitrary images 7. A working Python proof-of-concept script is included in the advisory 7.

7.2 CVE-2026-30821: Arbitrary File Upload via MIME Spoofing (Unauthenticated)

CVSS: 9.8 Critical: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD Primary) 2 CWE: CWE-434: Unrestricted Upload of File with Dangerous Type 2 Advisory: GHSA-j8g8-j7fc-43v6 8 Reporter: @im-soohyun 8

The attachment upload endpoint /api/v1/attachments/:chatflowId/:chatId is whitelisted from JWT validation 8. The upload handler validates file types by checking only the client-supplied Content-Type header (via file.mimetype) without verifying actual file content, file signatures (magic bytes), or extensions 8. The Multer configuration does not include file type validation 8. Attackers can upload malicious files (e.g., web shells, executable scripts) by spoofing the MIME type as an allowed format 8.

Impact: Remote code execution via uploaded web shells, stored cross-site scripting via malicious HTML/SVG files, and infrastructure compromise in shared storage environments (S3, GCS) potentially affecting multiple tenants 8.

7.3 CVE-2026-30820: Authorisation Bypass via Spoofed Internal Header (Low-Privilege)

CVSS: 8.8 High: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD Primary) 3 CWE: CWE-863: Incorrect Authorization 3 Advisory: GHSA-wvhq-wp8g-c7vq 9

Reporter: N3mes1s 9

The authorisation middleware in packages/server/src/index.ts (line 214) treats any authenticated request containing the x-request-from: internal header as an internal client, bypassing API key validation and granting full access to administration functions 9. This enables any tenant with a valid UI session cookie to escalate to administrative privileges by adding a single HTTP header 9. Administrative functions exposed include API key management, credential storage, and custom function execution 9.

7.4 CVE-2026-30823: IDOR Leading to Account Takeover via SSO Configuration (Low-Privilege)

CVSS: 8.8 High: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (CNA-submitted, GitHub) 4. NVD Primary assessment not yet provided 4. CWE: CWE-639: Authorization Bypass Through User-Controlled Key; CWE-862: Missing Authorization 4 Advisory: GHSA-cwc3-p92j-g7qm 10 Reporter: berkdedekarginoglu 10

The PUT /api/v1/loginmethod endpoint requires authentication but does not validate whether the authenticated user owns or administers the target organizationId 10. The backend accepts organizationId directly from the request body without verifying that the request user's organisation matches the target 10. Any authenticated user, including free-tier accounts, can overwrite SSO configurations for other organisations by specifying a victim's organizationId 10. This enables account takeover by redirecting authentication to attacker-controlled OAuth endpoints (e.g., attacker's Google Client ID), and enterprise feature bypass by activating SSO/SAML from free-tier accounts 10.

7.5 CVE-2026-30822: Mass Assignment in Leads Endpoint (Unauthenticated)

CVSS: 7.7 High: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L (CNA-submitted, GitHub) 5. NVD Primary assessment not yet provided 5. CWE: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes 5 Advisory: GHSA-mq4r-h2gh-qv7x 11 Reporter: yueyueL (igor-magun-wd) 11

The /api/v1/leads endpoint is whitelisted from authentication and uses Object.assign(newLead, body) (at lines 27–28 of packages/server/src/services/leads/index.ts) to copy all request body properties to the Lead entity without field filtering 11. Unauthenticated users can inject arbitrary values into internal database fields including id (primary key, auto-generated via @PrimaryGeneratedColumn), createdDate (timestamp, auto-generated via @CreateDateColumn), and chatId 11. This enables primary key override, timestamp manipulation, and audit trail corruption 11. The advisory notes that the pattern may also exist in other endpoints, specifically mentioning packages/server/src/utils/addChatMessageFeedback.ts 11.

7.6 CVE-2026-31829: SSRF in HTTP Node (Low-Privilege)

CVSS: 8.8 High: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD Primary) 6 CWE: CWE-918: Server-Side Request Forgery (SSRF) 6 Advisory: GHSA-fvcw-9w9r-pxc7 12 Reporter: nlgbao1340 12

The HTTP Node component in Flowise AgentFlow and Chatflow executes server-side HTTP requests using user-controlled URLs without restrictions on target hosts 12. There are no default restrictions on private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints (169.254.169.254) 12. All standard HTTP methods (GET, POST, PUT, PATCH, DELETE) are supported 12.

NVD vs CNA scoring disagreement: The NVD Primary assigns CVSS 8.8 with AC:L (Attack Complexity: Low) and A:H (Availability: High), while the CNA (GitHub) assigns CVSS 7.1 with AC:H (Attack Complexity: High) and A:L (Availability: Low) 612. Both agree on PR:L (Privileges Required: Low) 612. The NVD Primary score of 8.8 is used for severity language because NVD has fully Analysed this entry 6.

Deployment context: The advisory states that "Flowise instances are often deployed publicly without authentication (FLOWISE_USERNAME/FLOWISE_PASSWORD not set by default)" 12. While the CVSS vector specifies PR:L, the default-unauthenticated deployment pattern may effectively lower the authentication barrier in practice (RAXE assessment).

7.7 CVSS Divergence Note

This finding includes six CVEs with varying levels of CVSS score agreement between NVD and the CNA (GitHub). The following table presents all known scores for transparency.

NVD Primary vs CNA-Submitted Scores:

CVE NVD Primary NVD Vector CNA v3.x CNA v3.x Vector CNA v4.0 NVD Status
CVE-2026-30824 9.8 (v3.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.6 (v3.1) (GHSA-reported) 7.7 Analysed 1
CVE-2026-30821 9.8 (v3.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -- -- 8.2 Analysed 2
CVE-2026-30820 8.8 (v3.1) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -- -- 8.7 Analysed 3
CVE-2026-30823 Not provided -- 8.8 (v3.0) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -- Analysed (NVD Primary pending) 4
CVE-2026-30822 Not provided -- 7.7 (v3.0) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L -- Analysed (NVD Primary pending) 5
CVE-2026-31829 8.8 (v3.1) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 7.1 (v3.1) CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L -- Analysed 6

Key observations:

  • For CVE-2026-30824, the NVD assigns 9.8 (Critical) while the CNA-submitted v4.0 score is 7.7 (High), a delta of 2.1 points. The CNA v4.0 vector sets VC:N/VI:N/VA:N (no direct impact) but SC:H (high subsequent confidentiality impact), suggesting the CNA models the token leak as an indirect-impact vulnerability 17.
  • For CVE-2026-31829, the NVD and CNA disagree on Attack Complexity (L vs H) and Availability impact (H vs L), producing a 1.7-point delta 612.
  • For CVE-2026-30823 and CVE-2026-30822, NVD has not yet provided its own Primary CVSS assessment; only CNA-submitted v3.0 scores are available 45. Severity language in this advisory uses the CNA scores for these two CVEs and NVD Primary scores for the remaining four.
  • Three CNA v4.0 scores exist: 7.7 (CVE-2026-30824), 8.2 (CVE-2026-30821), and 8.7 (CVE-2026-30820) 123. These represent the CNA's assessment under CVSS v4.0 methodology and are disclosed for completeness.

8. Confidence & Validation

Assessment Confidence: High

Aspect Status Detail
Vendor Advisory Published All six have GHSA advisories from FlowiseAI (published 5 to 11 March 2026) 789101112
CVE Assigned Yes Six CVE IDs assigned: CVE-2026-30824, -30821, -30820, -30823, -30822, -31829 123456
NVD Analysed Partial Four of six have NVD Primary CVSS scores (Analysed); two have CNA-submitted scores with NVD Primary pending 123456
PoC Available Partial Public PoC script for CVE-2026-30824 included in advisory 7; reproduction steps for others are advisory-derived conceptual 89101112
Patch Available Yes Flowise v3.0.13 remediates all six; confirmed in npm registry 1314
Exploited in Wild Not confirmed No known exploitation in the wild. EPSS for CVE-2026-30824 is 0.0002 (5th percentile) as of 2026-03-11, indicating low current exploitation probability (FIRST.org EPSS) 15
Admiralty Grade A2 Completely reliable source (NVD + GHSA), probably true information

9. Detection Signatures

Seven Sigma detection rules are provided below, covering all six CVEs plus a posture/exposure hunting rule. These rules require access to web server, reverse proxy, or network monitoring logs that capture URL paths and HTTP headers (RAXE assessment).

Detection limitations: - Flowise does not produce structured security audit logs by default; detection depends on upstream log sources (reverse proxy, WAF, or network monitoring) (RAXE assessment). - Rules targeting unauthenticated endpoints (CVE-2026-30824, CVE-2026-30821, CVE-2026-30822) will trigger on any request to those paths, including legitimate usage on unpatched instances. These are delivery telemetry rules, not IOC-grade detections (RAXE assessment). - The authorisation bypass rule (CVE-2026-30820) detects the x-request-from: internal header, which may be used legitimately by Flowise's internal components. Manual triage is required (RAXE assessment).

Rule 1: Unauthenticated Access to NVIDIA NIM Endpoints

Classification: Delivery telemetry (medium) CVE: CVE-2026-30824 | CWE: CWE-306

title: Flowise Unauthenticated NVIDIA NIM Endpoint Access
id: raxe-2026-033-r1
status: experimental
description: >
  Detects HTTP requests to Flowise NVIDIA NIM router endpoints that are
  whitelisted from authentication. Unauthenticated access to /get-token
  leaks NVIDIA API credentials; /start-container and /stop-container
  enable container manipulation (GHSA-5f53-522j-j454).
references:
  - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30824
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.initial_access
  - cve.2026.30824
  - cwe.306
logsource:
  category: webserver
  product: any
detection:
  selection:
    cs-uri-stem|contains:
      - '/api/v1/nvidia-nim/get-token'
      - '/api/v1/nvidia-nim/preload'
      - '/api/v1/nvidia-nim/download-installer'
      - '/api/v1/nvidia-nim/list-running-containers'
      - '/api/v1/nvidia-nim/pull-image'
      - '/api/v1/nvidia-nim/start-container'
      - '/api/v1/nvidia-nim/stop-container'
      - '/api/v1/nvidia-nim/get-image'
      - '/api/v1/nvidia-nim/get-container'
  condition: selection
falsepositives:
  - Legitimate Flowise users accessing NIM endpoints on unpatched instances
  - Internal health checks targeting NIM status endpoints
level: medium

Rule 2: Arbitrary File Upload via Attachment Endpoint

Classification: Delivery telemetry (medium) CVE: CVE-2026-30821 | CWE: CWE-434

title: Flowise Unauthenticated File Upload to Attachment Endpoint
id: raxe-2026-033-r2
status: experimental
description: >
  Detects HTTP POST requests to the Flowise attachment upload endpoint.
  This endpoint is whitelisted from JWT validation and validates uploads
  by client-supplied Content-Type only, enabling MIME spoofing to upload
  malicious files (GHSA-j8g8-j7fc-43v6).
references:
  - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30821
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.initial_access
  - cve.2026.30821
  - cwe.434
logsource:
  category: webserver
  product: any
detection:
  selection:
    cs-method: POST
    cs-uri-stem|contains: '/api/v1/attachments/'
  condition: selection
falsepositives:
  - Legitimate chatflow file uploads on unpatched instances
level: medium

Rule 3: Authorisation Bypass via Spoofed Internal Header

Classification: Delivery telemetry (medium) CVE: CVE-2026-30820 | CWE: CWE-863

title: Flowise Authorisation Bypass via x-request-from Internal Header
id: raxe-2026-033-r3
status: experimental
description: >
  Detects HTTP requests containing the x-request-from header set to
  'internal'. The Flowise middleware treats such requests as internal
  clients, bypassing API key validation and granting full admin access
  to low-privilege tenants (GHSA-wvhq-wp8g-c7vq).
  Note: this header may be used legitimately by Flowise internal
  components. Manual triage is required (RAXE assessment).
references:
  - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30820
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.privilege_escalation
  - cve.2026.30820
  - cwe.863
logsource:
  category: webserver
  product: any
detection:
  selection:
    cs-uri-stem|startswith: '/api/v1/'
  filter_header:
    cs-header-x-request-from: 'internal'
  condition: selection and filter_header
falsepositives:
  - Flowise internal service-to-service communication using the same header
  - Requires log source that captures custom HTTP headers
level: medium

Rule 4: IDOR via SSO Login Method Modification

Classification: Delivery telemetry (medium) CVE: CVE-2026-30823 | CWE: CWE-639, CWE-862

title: Flowise SSO Configuration Modification via Login Method Endpoint
id: raxe-2026-033-r4
status: experimental
description: >
  Detects HTTP PUT requests to the Flowise login method endpoint.
  This endpoint does not validate organisation ownership, allowing
  any authenticated user to overwrite SSO configurations for other
  organisations, enabling account takeover (GHSA-cwc3-p92j-g7qm).
references:
  - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30823
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.privilege_escalation
  - cve.2026.30823
  - cwe.639
logsource:
  category: webserver
  product: any
detection:
  selection:
    cs-method: PUT
    cs-uri-stem|contains: '/api/v1/loginmethod'
  condition: selection
falsepositives:
  - Legitimate SSO configuration changes by organisation administrators
level: medium

Rule 5: Mass Assignment via Leads Endpoint

Classification: Delivery telemetry (medium) CVE: CVE-2026-30822 | CWE: CWE-915

title: Flowise Unauthenticated Lead Creation Request
id: raxe-2026-033-r5
status: experimental
description: >
  Detects HTTP POST requests to the Flowise leads endpoint. This endpoint
  is whitelisted from authentication and uses Object.assign() without
  field filtering, enabling unauthenticated mass assignment of internal
  database fields (GHSA-mq4r-h2gh-qv7x).
references:
  - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq4r-h2gh-qv7x
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30822
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.initial_access
  - cve.2026.30822
  - cwe.915
logsource:
  category: webserver
  product: any
detection:
  selection:
    cs-method: POST
    cs-uri-stem|contains: '/api/v1/leads'
  condition: selection
falsepositives:
  - Legitimate lead submission through Flowise chatflows
level: medium

Rule 6: SSRF via HTTP Node Targeting Internal Networks

Classification: Delivery telemetry (medium) CVE: CVE-2026-31829 | CWE: CWE-918

title: Flowise HTTP Node Request to Internal or Metadata Endpoint
id: raxe-2026-033-r6
status: experimental
description: >
  Detects outbound HTTP requests from Flowise server processes targeting
  private IP ranges (RFC 1918), localhost, or cloud metadata endpoints.
  The Flowise HTTP Node executes server-side requests with user-controlled
  URLs without destination validation (GHSA-fvcw-9w9r-pxc7).
  Requires network monitoring or proxy logs that capture outbound
  requests from the Flowise server process (RAXE assessment).
references:
  - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fvcw-9w9r-pxc7
  - https://nvd.nist.gov/vuln/detail/CVE-2026-31829
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.lateral_movement
  - cve.2026.31829
  - cwe.918
logsource:
  category: proxy
  product: any
detection:
  selection_private:
    r-dns|startswith:
      - '10.'
      - '172.16.'
      - '172.17.'
      - '172.18.'
      - '172.19.'
      - '172.20.'
      - '172.21.'
      - '172.22.'
      - '172.23.'
      - '172.24.'
      - '172.25.'
      - '172.26.'
      - '172.27.'
      - '172.28.'
      - '172.29.'
      - '172.30.'
      - '172.31.'
      - '192.168.'
      - '127.'
  selection_metadata:
    r-dns|contains: '169.254.169.254'
  condition: selection_private or selection_metadata
falsepositives:
  - Legitimate Flowise HTTP Node requests to internal APIs configured by users
  - Fires on any outbound request to private ranges -- requires correlation with Flowise process identity via network monitoring to reduce noise (RAXE assessment)
level: medium

Rule 7: Flowise Instance Exposure Check (Posture)

Classification: Posture/exposure rule (low)

title: Flowise Instance Running Without Authentication
id: raxe-2026-033-r7
status: experimental
description: >
  Hunting rule to identify Flowise instances that respond to API
  requests without authentication. Flowise does not require
  FLOWISE_USERNAME/PASSWORD by default, making all authenticated-
  endpoint vulnerabilities (CVE-2026-30820, CVE-2026-30823,
  CVE-2026-31829) exploitable without credentials
  (GHSA-fvcw-9w9r-pxc7). Requires active scanning or configuration
  audit (RAXE assessment).
references:
  - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fvcw-9w9r-pxc7
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.reconnaissance
logsource:
  category: webserver
  product: any
detection:
  selection:
    cs-uri-stem|startswith: '/api/v1/'
    sc-status: 200
  filter_no_auth:
    cs-header-authorization: ''
  condition: selection and filter_no_auth
falsepositives:
  - Whitelisted endpoints that legitimately do not require authentication
  - Internal development instances
level: low

10. Detection & Mitigation

Immediate Actions

  1. Upgrade to Flowise v3.0.13 or later. This remediates all six vulnerabilities 78910111213. The fixed version is available in the npm registry 14.

  2. Set authentication credentials. Configure FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables on all Flowise instances. Flowise does not require these by default 12.

  3. Restrict network exposure. Flowise instances should not be directly exposed to the public internet. Deploy behind a reverse proxy with authentication and access controls (RAXE assessment).

Post-Patch Validation

  1. Rotate NVIDIA API tokens. On systems running NVIDIA NIM integrations, rotate any NVIDIA API tokens that may have been exposed via the unauthenticated /api/v1/nvidia-nim/get-token endpoint 7.

  2. Audit running containers. On Docker/NIM-equipped Flowise systems, audit running containers for any images launched via the unauthenticated /api/v1/nvidia-nim/start-container endpoint 7.

  3. Audit uploaded files. Review files stored via the attachment endpoint (/api/v1/attachments/) for suspicious file types that may indicate MIME spoofing exploitation 8.

  4. Review SSO configurations. If using Flowise with SSO/SAML, verify that login method configurations have not been modified by unauthorised users 10.

  5. Audit leads database. Check for anomalous id, createdDate, or chatId values in the leads table that may indicate mass assignment exploitation 11.

Ongoing Monitoring

  1. Deploy detection rules. Implement the seven Sigma rules from Section 9 to monitor for exploitation attempts. Rules 1–6 provide delivery telemetry for each CVE; Rule 7 identifies unprotected instances (RAXE assessment).

  2. Monitor outbound requests. Watch for SSRF indicators: outbound HTTP requests from Flowise processes to RFC 1918 addresses, localhost, or cloud metadata endpoints (169.254.169.254) (RAXE assessment).

11. Indicators of Compromise

These are behavioural and network-level indicators based on the advisory-described attack mechanisms 789101112. No file-hash IOCs are available for this vulnerability cluster (RAXE assessment).

Type Indicator Context
HTTP Request GET /api/v1/nvidia-nim/get-token without authentication Token exfiltration (CVE-2026-30824) 7
HTTP Request POST /api/v1/nvidia-nim/start-container without authentication Container manipulation (CVE-2026-30824) 7
HTTP Request POST /api/v1/attachments/:chatflowId/:chatId with mismatched Content-Type and file extension MIME spoofing file upload (CVE-2026-30821) 8
HTTP Header x-request-from: internal on external requests to /api/v1/** Authorisation bypass (CVE-2026-30820) 9
HTTP Request PUT /api/v1/loginmethod with organizationId not matching authenticated user IDOR / SSO hijacking (CVE-2026-30823) 10
HTTP Request POST /api/v1/leads with unexpected fields (id, createdDate, chatId) Mass assignment (CVE-2026-30822) 11
Network Outbound HTTP from Flowise to 169.254.169.254, 127.0.0.1, or RFC 1918 ranges SSRF exploitation (CVE-2026-31829) 12
Server Response HTTP 500 (not 401) on /api/v1/nvidia-nim/get-token when NIM not configured Confirms auth bypass exists on unpatched instance 7

12. Strategic Context

This vulnerability cluster illustrates repeated access-control failures in LLM orchestration tooling where integration convenience overrides security discipline (RAXE assessment). Three of six vulnerabilities derive directly from the Flowise WHITELIST_URLS mechanism, which blanket-exempts entire API route prefixes from JWT validation, while a fourth (CVE-2026-30820) exploits a distinct middleware header-trust flaw, and the remaining two reflect distinct weaknesses in ownership validation and URL input validation 789101112. The pattern is architecturally similar to weaknesses observed in other low-code AI platforms that expose API endpoints for chatflow and agent integrations (RAXE assessment).

The disclosure of six vulnerabilities simultaneously, spanning authentication whitelisting, header trust, ownership validation, and URL validation failures, suggests that the Flowise security review process did not systematically audit access control boundaries across its API surface (RAXE assessment). The fact that the vulnerabilities were reported by at least three independent researchers (tenbbughunters, berkdedekarginoglu, nlgbao1340, @im-soohyun, yueyueL) 78101112 suggests that the attack surface was independently discoverable by multiple parties.

From an AI security threat landscape perspective, this cluster maps to MITRE ATLAS technique AML.T0010.001 (AI Supply Chain Compromise: AI Software) 16. Organisations deploying LLM orchestration platforms should treat these tools as part of their AI supply chain attack surface and apply the same security scrutiny as traditional application infrastructure, including authentication audits, network segmentation, and input validation reviews (RAXE assessment).

13. References

  1. CVE-2026-30824, NVD
  2. CVE-2026-30821, NVD
  3. CVE-2026-30820, NVD
  4. CVE-2026-30823, NVD
  5. CVE-2026-30822, NVD
  6. CVE-2026-31829, NVD
  7. GHSA-5f53-522j-j454: Missing Authentication on NVIDIA NIM Endpoints
  8. GHSA-j8g8-j7fc-43v6: Arbitrary File Upload via MIME Spoofing
  9. GHSA-wvhq-wp8g-c7vq: Authorisation Bypass via Spoofed Internal Header
  10. GHSA-cwc3-p92j-g7qm: IDOR Leading to Account Takeover via SSO Configuration
  11. GHSA-mq4r-h2gh-qv7x: Mass Assignment in Leads Endpoint
  12. GHSA-fvcw-9w9r-pxc7: SSRF in HTTP Node
  13. Flowise v3.0.13 Release
  14. flowise 3.0.13, npm Registry
  15. EPSS: CVE-2026-30824
  16. MITRE ATLAS: AML.T0010.001: AI Supply Chain Compromise: AI Software