CVE-2026-30823: Flowise: IDOR enables account takeover and SSO bypass

UNKNOWN PoC AVAILABLE

Published March 7, 2026

CISO Take

Flowise versions prior to 3.0.13 contain an Insecure Direct Object Reference (IDOR) vulnerability that allows attackers to take over arbitrary user accounts and bypass enterprise SSO configurations without proper authorization. For organizations running Flowise to orchestrate AI agent workflows, a full account takeover means adversaries gain access to all configured AI pipelines, embedded LLM API keys (OpenAI, Anthropic, Azure OpenAI), and connected data sources — effectively full compromise of the AI orchestration layer. A public proof-of-concept exploit exists, lowering the exploitation bar to near-trivial despite the absence of a formal CVSS score, and with 16 prior CVEs in this package, Flowise's security track record compounds the urgency. Upgrade to Flowise 3.0.13 immediately, rotate all embedded credentials, and audit SSO configurations and access logs for unauthorized modifications since 2026-03-07.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

HIGH risk despite missing CVSS score. IDOR leading to account takeover is a well-understood, consistently exploitable vulnerability class, and the availability of a public PoC reduces attacker skill requirements to near-trivial. In an AI orchestration platform, account takeover translates directly to complete control over all AI workflows, credentials, and data access — blast radius scales with how many LLM APIs and data sources are connected. The 16 prior CVEs in this package suggest a pattern of inadequate security review that should factor into procurement and deployment decisions.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch
flowise	npm	—	No patch
flowise	npm	—	No patch

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

Upgrade to Flowise 3.0.13 immediately — the patch directly addresses the IDOR in account and SSO management endpoints.
Rotate all LLM API keys and credentials stored within Flowise flows (OpenAI, Anthropic, database URIs, etc.) as a precaution — assume they may have been exfiltrated.
Review and re-validate SSO configurations against your IdP; look for unauthorized identity provider additions or SAML/OIDC config changes.
Audit application access logs for IDOR exploitation patterns (sequential user ID enumeration in API calls) from 2026-03-07 onward.
If immediate patching is not possible, restrict Flowise access to internal networks or VPN-only and disable public endpoints until patched.

Classification

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.4 - AI system security and resilience

NIST AI RMF

GOVERN 1.2 - Organizational roles and responsibilities for AI risk

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13.

Exploitation Scenario

An adversary targeting an organization running Flowise to manage their LangChain-based RAG pipeline discovers the publicly accessible Flowise instance. Using the IDOR vulnerability, they manipulate user ID parameters in API requests — cycling through integer IDs — to access admin account settings without authentication. With admin control, they modify the SSO configuration to register their own identity provider, granting persistent backdoor access that survives password resets. They then enumerate all configured flows, extracting embedded OpenAI API keys, PostgreSQL connection strings for the vector database, and Slack webhook URLs. Stolen API keys are monetized by reselling LLM inference access, while database credentials enable exfiltration of the entire RAG knowledge base containing the organization's proprietary data.