AI Threat Alert AI Threat Alert

CVE-2026-30820: Flowise: header spoof auth bypass exposes admin API & creds

HIGH PoC AVAILABLE
Published March 7, 2026
CISO Take

Flowise, a widely-deployed drag-and-drop LLM workflow builder, allows any authenticated tenant to gain full administrative access by spoofing a single HTTP header: `x-request-from: internal`. Once escalated, the attacker can read all stored LLM provider credentials (OpenAI, Anthropic, etc.), manage API keys, and execute arbitrary custom functions — the blast radius is total compromise of every secret the Flowise instance holds. A public proof-of-concept is available and exploitation requires no specialized skills; CVSS 8.8 with AC:L/PR:L means any trial or low-privilege account is sufficient. Patch to Flowise 3.0.13 immediately, and as a stop-gap, configure your API gateway or WAF to strip or reject external requests bearing the `x-request-from: internal` header.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

High risk in any multi-user or SaaS Flowise deployment. The attack is network-reachable, low-complexity, requires only a valid (low-privilege) account, and yields full administrative access including credential exfiltration and code execution via custom functions. Sixteen prior CVEs in this package indicate a pattern of security debt. Public PoC eliminates any exploitation barrier; expect opportunistic scanning within days of disclosure. Not yet in CISA KEV but the CVSS and PoC availability make active exploitation likely.

Affected Systems

Package Ecosystem Vulnerable Range Patched
flowise npm No patch
flowise npm No patch
flowise npm No patch

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
N/A
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

  1. Patch: Upgrade all Flowise instances to version 3.0.13 immediately — the fix removes trust in the `x-request-from: internal` header from unauthenticated/untrusted sources.
  2. Interim WAF control: Add a rule to strip or block inbound HTTP requests containing `x-request-from: internal` header before they reach the Flowise service.
  3. Credential rotation: Assume compromise of all API keys stored in any Flowise credential store running pre-3.0.13; rotate LLM provider keys, database credentials, and integration secrets.
  4. Detection: Query access logs for any calls to `/api/v1/apikey`, `/api/v1/credentials`, or `/api/v1/tools` with this header from unexpected tenants.
  5. Audit accounts: Review all tenant accounts — especially trial/low-privilege — for anomalous API activity in the period since the advisory was published (2026-03-07).

Classification

Auth Bypass Data Extraction Code Execution Agent Framework API AML.T0012 AML.T0049 AML.T0053 AML.T0083 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.3 - Access control for AI systems
NIST AI RMF
GOVERN 6.1 - Policies, processes, and procedures are in place for AI risk management
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.

Exploitation Scenario

An attacker registers a free trial or obtains a low-privilege tenant account on a target Flowise instance. Using browser developer tools or a simple Python script, they replay authenticated requests to `GET /api/v1/credentials` and `GET /api/v1/apikey` with the header `x-request-from: internal` appended. Flowise's authorization middleware skips all permission checks and returns the full credential store — including production API keys for OpenAI, Anthropic, or other LLM providers. The attacker then uses those keys to exfiltrate data via direct LLM API calls, spin up parallel inference workloads (cost harvesting), or pivots to connected databases and SaaS tools. In a more destructive path, the attacker calls custom function execution endpoints to achieve remote code execution inside the Flowise container, enabling full host-level access in uncontainerized deployments.

Weaknesses (CWE)

CWE-863 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 7, 2026
Last Modified
March 11, 2026
First Seen
March 7, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
CRITICAL CVE-2025-58434 9.8

Flowise: auth bypass in reset flow allows full ATO

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
Back to Threat Feed