CVE Catalog

CVE-2026-56270

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile — higher than 30% of all known CVEs

Summary

Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter.

Risk Assessment

Remote attackers can send GET requests to harvest sensitive API credentials for Google, Microsoft/Azure, GitHub, and Auth0 integrations, posing a serious security threat to the organization.

Recommendation

It is recommended to upgrade Flowise to version 3.1.0 or later and to secure the /api/v1/loginmethod endpoint from unauthorized access.

Original NVD description (English source)

Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter. Remote attackers can send a GET request to harvest sensitive API credentials for Google, Microsoft/Azure, GitHub, and Auth0 integrations. This affects FlowiseAI Cloud and self-hosted instances where the endpoint is exposed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS