AI Threat Alert

CVE-2026-30820: Flowise: header spoof auth bypass exposes admin API & creds

HIGH PoC AVAILABLE CISA: ATTEND
Published March 7, 2026
CISO Take

Flowise, a widely-deployed drag-and-drop LLM workflow builder, allows any authenticated tenant to gain full administrative access by spoofing a single HTTP header: `x-request-from: internal`. Once escalated, the attacker can read all stored LLM provider credentials (OpenAI, Anthropic, etc.), manage API keys, and execute arbitrary custom functions — the blast radius is total compromise of every secret the Flowise instance holds. A public proof-of-concept is available and exploitation requires no specialized skills; CVSS 8.8 with AC:L/PR:L means any trial or low-privilege account is sufficient. Patch to Flowise 3.0.13 immediately, and as a stop-gap, configure your API gateway or WAF to strip or reject external requests bearing the `x-request-from: internal` header.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk in any multi-user or SaaS Flowise deployment. The attack is network-reachable, low-complexity, requires only a valid (low-privilege) account, and yields full administrative access including credential exfiltration and code execution via custom functions. Sixteen prior CVEs in this package indicate a pattern of security debt. Public PoC eliminates any exploitation barrier; expect opportunistic scanning within days of disclosure. Not yet in CISA KEV but the CVSS and PoC availability make active exploitation likely.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
flowise npm No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 32% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch: Upgrade all Flowise instances to version 3.0.13 immediately — the fix removes trust in the x-request-from: internal header from unauthenticated/untrusted sources.

  2. Interim WAF control: Add a rule to strip or block inbound HTTP requests containing x-request-from: internal header before they reach the Flowise service.

  3. Credential rotation: Assume compromise of all API keys stored in any Flowise credential store running pre-3.0.13; rotate LLM provider keys, database credentials, and integration secrets.

  4. Detection: Query access logs for any calls to /api/v1/apikey, /api/v1/credentials, or /api/v1/tools with this header from unexpected tenants.

  5. Audit accounts: Review all tenant accounts — especially trial/low-privilege — for anomalous API activity in the period since the advisory was published (2026-03-07).

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Code Execution Agent Framework API AML.T0012 AML.T0049 AML.T0053 AML.T0083 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.3 - Access control for AI systems
NIST AI RMF
GOVERN 6.1 - Policies, processes, and procedures are in place for AI risk management
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-30820?

Flowise, a widely-deployed drag-and-drop LLM workflow builder, allows any authenticated tenant to gain full administrative access by spoofing a single HTTP header: `x-request-from: internal`. Once escalated, the attacker can read all stored LLM provider credentials (OpenAI, Anthropic, etc.), manage API keys, and execute arbitrary custom functions — the blast radius is total compromise of every secret the Flowise instance holds. A public proof-of-concept is available and exploitation requires no specialized skills; CVSS 8.8 with AC:L/PR:L means any trial or low-privilege account is sufficient. Patch to Flowise 3.0.13 immediately, and as a stop-gap, configure your API gateway or WAF to strip or reject external requests bearing the `x-request-from: internal` header.

Is CVE-2026-30820 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-30820, increasing the risk of exploitation.

How to fix CVE-2026-30820?

1. Patch: Upgrade all Flowise instances to version 3.0.13 immediately — the fix removes trust in the `x-request-from: internal` header from unauthenticated/untrusted sources. 2. Interim WAF control: Add a rule to strip or block inbound HTTP requests containing `x-request-from: internal` header before they reach the Flowise service. 3. Credential rotation: Assume compromise of all API keys stored in any Flowise credential store running pre-3.0.13; rotate LLM provider keys, database credentials, and integration secrets. 4. Detection: Query access logs for any calls to `/api/v1/apikey`, `/api/v1/credentials`, or `/api/v1/tools` with this header from unexpected tenants. 5. Audit accounts: Review all tenant accounts — especially trial/low-privilege — for anomalous API activity in the period since the advisory was published (2026-03-07).

What systems are affected by CVE-2026-30820?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM workflow orchestration, AI development platforms, Multi-tenant AI SaaS, RAG pipelines.

What is the CVSS score for CVE-2026-30820?

CVE-2026-30820 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.

Exploitation Scenario

An attacker registers a free trial or obtains a low-privilege tenant account on a target Flowise instance. Using browser developer tools or a simple Python script, they replay authenticated requests to `GET /api/v1/credentials` and `GET /api/v1/apikey` with the header `x-request-from: internal` appended. Flowise's authorization middleware skips all permission checks and returns the full credential store — including production API keys for OpenAI, Anthropic, or other LLM providers. The attacker then uses those keys to exfiltrate data via direct LLM API calls, spin up parallel inference workloads (cost harvesting), or pivots to connected databases and SaaS tools. In a more destructive path, the attacker calls custom function execution endpoints to achieve remote code execution inside the Flowise container, enabling full host-level access in uncontainerized deployments.

Weaknesses (CWE)

CWE-863 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 7, 2026
Last Modified
March 11, 2026
First Seen
March 7, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
CRITICAL CVE-2025-58434 9.8

Flowise: auth bypass in reset flow allows full ATO

Same package: flowise
Back to Threat Feed