Authorization bypass through user-controlled key in Flowise - CVE-2026-30823
Published: April 9, 2026
Vulnerability identifier: #VU125529
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-30823
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to take over accounts and bypass enterprise feature restrictions.
The vulnerability exists due to authorization bypass through a user-controlled key in the PUT /api/v1/loginmethod endpoint when handling authenticated requests that supply an organizationId in the JSON body. A remote user can send a specially crafted request with a target organizationId to take over accounts and bypass enterprise feature restrictions.
The issue can be exploited by overwriting another organization's SSO configuration, including provider credentials, and does not require user interaction.
How to mitigate CVE-2026-30823
Install security update from vendor's website.