Missing Authorization in Flowise - CVE-2026-46444
Published: May 18, 2026
Vulnerability identifier: #VU131699
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-46444
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to access, modify, delete, and upload files to vector stores.
The vulnerability exists due to improper access control in the OpenAI Assistants Vector Store CRUD endpoints when handling API requests to /api/v1/openai-assistants-vector-store. A remote user can send crafted requests to access, modify, delete, and upload files to vector stores.
The affected routes lack checkAnyPermission() middleware on create, update, delete, and file upload operations.
How to mitigate CVE-2026-46444
Install security update from vendor's website.