CVE-2024-36420 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any internet-exposed Flowise 1.4.3 instance allows unauthenticated attackers to read arbitrary server files — including .env files storing OpenAI/Anthropic API keys, database credentials, and system configs. No official patch exists; immediately place Flowise behind a VPN or firewall, and rotate all credentials stored on affected servers. This is a trivially exploitable path traversal with zero barriers to entry.

Risk Assessment

HIGH severity with critical real-world impact. CVSS 7.5 understates the business risk: no auth, no complexity, network-accessible. Flowise deployments routinely store LLM provider API keys, database URIs, and Stripe/webhook secrets in .env files on the same server. A single unauthenticated POST call can exfiltrate the entire secret surface. Exposure is broad — Flowise is widely self-hosted by teams building LLM workflows, often without hardening.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 57% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

IMMEDIATE

Block external access to Flowise — place behind VPN/firewall or take offline.
Rotate all credentials stored on or accessible from the Flowise server: LLM API keys, DB passwords, auth secrets, webhook tokens.
Audit access logs for POST requests to /api/v1/openai-assistants-file with path traversal patterns (../, /etc/, /proc/).
If Flowise must stay exposed, implement a WAF rule blocking fileName values containing ../ or absolute paths.
Pin Flowise to latest release and monitor FlowiseAI/Flowise for patch availability.
Apply principle of least privilege: run Flowise in a container with read-only filesystem mounts and minimal env exposure.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Data Leakage Framework API Agent AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.9 - Logging and monitoring of AI system A.9.4 - Security of AI system

NIST AI RMF

GOVERN 6.1 - Risk or impact assessments for AI-enabled products MANAGE 2.2 - Mechanisms to sustain value of deployed AI

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-36420?

Any internet-exposed Flowise 1.4.3 instance allows unauthenticated attackers to read arbitrary server files — including .env files storing OpenAI/Anthropic API keys, database credentials, and system configs. No official patch exists; immediately place Flowise behind a VPN or firewall, and rotate all credentials stored on affected servers. This is a trivially exploitable path traversal with zero barriers to entry.

Is CVE-2024-36420 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-36420, increasing the risk of exploitation.

How to fix CVE-2024-36420?

1. IMMEDIATE: Block external access to Flowise — place behind VPN/firewall or take offline. 2. Rotate all credentials stored on or accessible from the Flowise server: LLM API keys, DB passwords, auth secrets, webhook tokens. 3. Audit access logs for POST requests to /api/v1/openai-assistants-file with path traversal patterns (../, /etc/, /proc/). 4. If Flowise must stay exposed, implement a WAF rule blocking fileName values containing ../ or absolute paths. 5. Pin Flowise to latest release and monitor FlowiseAI/Flowise for patch availability. 6. Apply principle of least privilege: run Flowise in a container with read-only filesystem mounts and minimal env exposure.

What systems are affected by CVE-2024-36420?

This vulnerability affects the following AI/ML architecture patterns: LLM pipeline builders, Agent frameworks, RAG pipelines, Model serving, API gateways.

What is the CVSS score for CVE-2024-36420?

CVE-2024-36420 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.34%.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.

Exploitation Scenario

Attacker discovers Flowise instance via Shodan/Censys (port 3000, /api/v1/ fingerprint). Sends unauthenticated POST to /api/v1/openai-assistants-file with body {"fileName": "../../../../.env"} — receives plaintext env file containing OPENAI_API_KEY, DATABASE_URL, and CLERK_SECRET_KEY. Uses OpenAI key for cost harvesting or data extraction via the victim's LLM. Uses DB credentials to dump the RAG knowledge base and user data. Repeats with /etc/passwd, /proc/self/cmdline for further host recon. Total time from discovery to credential theft: under 5 minutes.