CVE-2024-36420: Flowise unauthenticated arbitrary

CISO Take

Any internet-exposed Flowise 1.4.3 instance allows unauthenticated attackers to read arbitrary server files — including .env files storing OpenAI/Anthropic API keys, database credentials, and system configs. No official patch exists; immediately place Flowise behind a VPN or firewall, and rotate all credentials stored on affected servers. This is a trivially exploitable path traversal with zero barriers to entry.

What is the risk?

HIGH severity with critical real-world impact. CVSS 7.5 understates the business risk: no auth, no complexity, network-accessible. Flowise deployments routinely store LLM provider API keys, database URIs, and Stripe/webhook secrets in .env files on the same server. A single unauthenticated POST call can exfiltrate the entire secret surface. Exposure is broad — Flowise is widely self-hosted by teams building LLM workflows, often without hardening.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

1.8%

chance of exploitation in 30 days

Higher than 75% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

IMMEDIATE

Block external access to Flowise — place behind VPN/firewall or take offline.
Rotate all credentials stored on or accessible from the Flowise server: LLM API keys, DB passwords, auth secrets, webhook tokens.
Audit access logs for POST requests to /api/v1/openai-assistants-file with path traversal patterns (../, /etc/, /proc/).
If Flowise must stay exposed, implement a WAF rule blocking fileName values containing ../ or absolute paths.
Pin Flowise to latest release and monitor FlowiseAI/Flowise for patch availability.
Apply principle of least privilege: run Flowise in a container with read-only filesystem mounts and minimal env exposure.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Data Leakage Framework API Agent AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.9 - Logging and monitoring of AI system A.9.4 - Security of AI system

NIST AI RMF

GOVERN 6.1 - Risk or impact assessments for AI-enabled products MANAGE 2.2 - Mechanisms to sustain value of deployed AI

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-36420?

Any internet-exposed Flowise 1.4.3 instance allows unauthenticated attackers to read arbitrary server files — including .env files storing OpenAI/Anthropic API keys, database credentials, and system configs. No official patch exists; immediately place Flowise behind a VPN or firewall, and rotate all credentials stored on affected servers. This is a trivially exploitable path traversal with zero barriers to entry.

Is CVE-2024-36420 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-36420, increasing the risk of exploitation.

How to fix CVE-2024-36420?

1. IMMEDIATE: Block external access to Flowise — place behind VPN/firewall or take offline. 2. Rotate all credentials stored on or accessible from the Flowise server: LLM API keys, DB passwords, auth secrets, webhook tokens. 3. Audit access logs for POST requests to /api/v1/openai-assistants-file with path traversal patterns (../, /etc/, /proc/). 4. If Flowise must stay exposed, implement a WAF rule blocking fileName values containing ../ or absolute paths. 5. Pin Flowise to latest release and monitor FlowiseAI/Flowise for patch availability. 6. Apply principle of least privilege: run Flowise in a container with read-only filesystem mounts and minimal env exposure.

What systems are affected by CVE-2024-36420?

This vulnerability affects the following AI/ML architecture patterns: LLM pipeline builders, Agent frameworks, RAG pipelines, Model serving, API gateways.

What is the CVSS score for CVE-2024-36420?

CVE-2024-36420 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.76%.

What is the AI security impact?

Affected AI Architectures

LLM pipeline buildersAgent frameworksRAG pipelinesModel servingAPI gateways

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2.9, A.9.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.

Exploitation Scenario

Attacker discovers Flowise instance via Shodan/Censys (port 3000, /api/v1/ fingerprint). Sends unauthenticated POST to /api/v1/openai-assistants-file with body {"fileName": "../../../../.env"} — receives plaintext env file containing OPENAI_API_KEY, DATABASE_URL, and CLERK_SECRET_KEY. Uses OpenAI key for cost harvesting or data extraction via the victim's LLM. Uses DB credentials to dump the RAG knowledge base and user data. Repeats with /etc/passwd, /proc/self/cmdline for further host recon. Total time from discovery to credential theft: under 5 minutes.

Weaknesses (CWE)

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Primary CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'): The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

[Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
[Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Source: MITRE CWE corpus.