#VU125529 Authorization bypass through user-controlled key in Flowise - CVE-2026-30823
Published: April 9, 2026
Vulnerability identifier: #VU125529
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-30823
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flowise
Flowise
Software vendor:
FlowiseAI
FlowiseAI
Description
The vulnerability allows a remote user to take over accounts and bypass enterprise feature restrictions.
The vulnerability exists due to authorization bypass through a user-controlled key in the PUT /api/v1/loginmethod endpoint when handling authenticated requests that supply an organizationId in the JSON body. A remote user can send a specially crafted request with a target organizationId to take over accounts and bypass enterprise feature restrictions.
The issue can be exploited by overwriting another organization's SSO configuration, including provider credentials, and does not require user interaction.
Remediation
Install security update from vendor's website.