Main Vulnerability Database Vulnerabilities #VU131700

Information disclosure in Flowise - CVE-2026-46443

Published: May 18, 2026

Vulnerability identifier: #VU131700

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-46443

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the credentials service when handling requests with a credentialName filter parameter. A remote user can send a specially crafted request with the filter parameter to disclose sensitive information.

The response may include the encryptedData field for stored credentials, such as API keys, passwords, and tokens.

How to mitigate CVE-2026-46443

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7g73-99r4-m4mj

Information disclosure in Flowise - CVE-2026-46443

Detailed vulnerability description

How to mitigate CVE-2026-46443

Sources

Please verify you're human