AI Threat Alert AI Threat Alert

CVE-2024-36421: Flowise: CORS wildcard enables file read and data theft

HIGH PoC AVAILABLE
Published July 1, 2024
CISO Take

Flowise 1.4.3 ships with a wildcard CORS header (Access-Control-Allow-Origin: *) that, in its default unauthenticated state, allows any web origin to make credentialed requests to the application. An attacker can chain this CORS bypass with a path traversal vulnerability to read arbitrary files from the Flowise server — including .env files, API keys for OpenAI/Anthropic, and LLM flow configurations containing business logic and system prompts. Exploitation requires zero privileges and zero user interaction (CVSS PR:N, UI:N), and a public PoC is already available, placing this well within script-kiddie reach. With no patch confirmed at publication time and Flowise widely deployed as a self-hosted AI agent builder, organizations should immediately restrict network access to trusted sources, enforce authentication, and audit exposed instances for credential leakage.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

High risk in practice despite a 7.5 CVSS. The combination of unauthenticated default configuration, network-accessible attack vector, low complexity, and a public PoC makes this trivially exploitable. Self-hosted Flowise instances accessible from the internet are immediately at risk. The secondary file read primitive elevates this beyond a simple CORS issue — it becomes a full credential harvesting vector against AI infrastructure, as Flowise configs routinely store third-party API keys (OpenAI, Anthropic, HuggingFace) in plaintext or environment variables readable from the filesystem.

Affected Systems

Package Ecosystem Vulnerable Range Patched
flowise npm No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
N/A
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

  1. Immediately restrict Flowise to internal network access only — do not expose port 3000 to the public internet without a reverse proxy enforcing auth.
  2. Enable Flowise authentication (FLOWISE_USERNAME/FLOWISE_PASSWORD env vars) if not already set — the default unauthenticated mode is the primary amplifier.
  3. Rotate all API keys stored in Flowise (OpenAI, Anthropic, HuggingFace, etc.) and audit usage logs for anomalies.
  4. Place Flowise behind a WAF or NGINX reverse proxy with strict CORS policy overriding the application header.
  5. Monitor server access logs for unexpected cross-origin requests (Origin header from external domains).
  6. Track the GitHub advisory at securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise for patch availability and upgrade immediately when released.
  7. Consider scanning with nuclei or manual PoC validation to confirm your instance exposure before patching.

Classification

Data Extraction Auth Bypass Data Leakage Agent Framework AML.T0006 AML.T0025 AML.T0037 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.2.6 - Security of AI System Operations
NIST AI RMF
MANAGE 2.2 - Risk Mitigation — Emergent AI Risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.

Exploitation Scenario

An adversary identifies a publicly exposed Flowise instance via Shodan (search: 'Flowise' port:3000) or Censys. They host a malicious web page that uses JavaScript to issue cross-origin fetch() requests to the target Flowise server — possible because the wildcard CORS header permits it and the instance has no authentication. Using the path traversal primitive documented in the GitHub advisory, the attacker crafts requests to read /proc/self/environ or /app/.env from the container, extracting OPENAI_API_KEY, ANTHROPIC_API_KEY, and database connection strings. They then use the leaked LLM keys to make unauthorized API calls — running up costs, stealing conversation history, or using the victim's quota for their own operations. The entire attack chain requires no credentials, no interaction from the victim, and takes under five minutes with the public PoC.

Weaknesses (CWE)

CWE-346 Primary CWE-346

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
July 1, 2024
Last Modified
November 21, 2024
First Seen
July 1, 2024

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
CRITICAL CVE-2025-58434 9.8

Flowise: auth bypass in reset flow allows full ATO

Same package: flowise
Back to Threat Feed