Main Vulnerability Database Vulnerabilities #VU126240

Missing Authentication for Critical Function in Flowise - #VU126240

Published: April 15, 2026

Vulnerability identifier: #VU126240

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication for a critical function in the /api/v1/loginmethod endpoint when handling GET requests with an organizationId parameter. A remote attacker can send a specially crafted request to disclose sensitive information.

The response can include OAuth client secrets in cleartext for an organization's configured SSO providers.

Remediation

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6pcv-j4jx-m4vx

Missing Authentication for Critical Function in Flowise - #VU126240

Detailed vulnerability description

Remediation

Sources

Please verify you're human