CVE-2026-46444
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
Flowise prior to version 3.1.2 had unauthenticated CRUD endpoints for OpenAI Assistants Vector Store that were not protected by authentication middleware. The route /api/v1/openai-assistants-vector-store was not in WHITELIST_URLS and lacked permission checks for operations.
Risk Assessment
The lack of authorization on critical endpoints could lead to unauthorized access to data and operations, posing a serious security risk to the organization.
Recommendation
It is recommended to upgrade to version 3.1.2 to secure the endpoints against unauthorized access and implement appropriate permission checks.
Original NVD description (English source)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2.

