<0.1% probability · 13.1th percentile — 2026-05-12
Affected versions
Flowise prior to 3.1.0
Summary
This vulnerability allows unauthenticated remote attackers to access sensitive data including API keys, HTTP authorization headers, and internal configuration from affected Flowise deployments. Attackers only need knowledge of a chatflow UUID to retrieve the exposed sensitive data. Successful exploitation leads to credential theft and unauthorized access to connected downstream systems.
Remediation
Upgrade Flowise to version 3.1.0 or later to remediate this issue. Restrict public access to Flowise API endpoints from untrusted networks if the service is not intended for public exposure. Rotate any exposed credentials after patching to prevent unauthorized access.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.