Main Vulnerability Database Vulnerabilities #VU125527

Missing Authentication for Critical Function in Flowise - CVE-2026-30824

Published: April 9, 2026 / Updated: April 30, 2026

Vulnerability identifier: #VU125527

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2026-30824

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information in a subsequent system.

The vulnerability exists due to missing authentication for critical function in the NVIDIA NIM endpoints when handling requests to /api/v1/nvidia-nim/*. A remote attacker can send crafted requests to obtain a valid NVIDIA API token and disclose sensitive information in a subsequent system.

On systems with Docker or NIM installed, additional unauthenticated endpoint access may allow container enumeration, image pulls, container starts, or service disruption.

How to mitigate CVE-2026-30824

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454

Missing Authentication for Critical Function in Flowise - CVE-2026-30824

Detailed vulnerability description

How to mitigate CVE-2026-30824

Sources

Please verify you're human