CVE-2026-30823: Flowise: IDOR enables account takeover and SSO bypass
UNKNOWN PoC AVAILABLE CISA: ATTENDFlowise versions prior to 3.0.13 contain an Insecure Direct Object Reference (IDOR) vulnerability that allows attackers to take over arbitrary user accounts and bypass enterprise SSO configurations without proper authorization. For organizations running Flowise to orchestrate AI agent workflows, a full account takeover means adversaries gain access to all configured AI pipelines, embedded LLM API keys (OpenAI, Anthropic, Azure OpenAI), and connected data sources — effectively full compromise of the AI orchestration layer. A public proof-of-concept exploit exists, lowering the exploitation bar to near-trivial despite the absence of a formal CVSS score, and with 16 prior CVEs in this package, Flowise's security track record compounds the urgency. Upgrade to Flowise 3.0.13 immediately, rotate all embedded credentials, and audit SSO configurations and access logs for unauthorized modifications since 2026-03-07.
What is the risk?
HIGH risk despite missing CVSS score. IDOR leading to account takeover is a well-understood, consistently exploitable vulnerability class, and the availability of a public PoC reduces attacker skill requirements to near-trivial. In an AI orchestration platform, account takeover translates directly to complete control over all AI workflows, credentials, and data access — blast radius scales with how many LLM APIs and data sources are connected. The 16 prior CVEs in this package suggest a pattern of inadequate security review that should factor into procurement and deployment decisions.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | — | No patch |
Do you use Flowise? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade to Flowise 3.0.13 immediately — the patch directly addresses the IDOR in account and SSO management endpoints.
-
Rotate all LLM API keys and credentials stored within Flowise flows (OpenAI, Anthropic, database URIs, etc.) as a precaution — assume they may have been exfiltrated.
-
Review and re-validate SSO configurations against your IdP; look for unauthorized identity provider additions or SAML/OIDC config changes.
-
Audit application access logs for IDOR exploitation patterns (sequential user ID enumeration in API calls) from 2026-03-07 onward.
-
If immediate patching is not possible, restrict Flowise access to internal networks or VPN-only and disable public endpoints until patched.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-30823?
Flowise versions prior to 3.0.13 contain an Insecure Direct Object Reference (IDOR) vulnerability that allows attackers to take over arbitrary user accounts and bypass enterprise SSO configurations without proper authorization. For organizations running Flowise to orchestrate AI agent workflows, a full account takeover means adversaries gain access to all configured AI pipelines, embedded LLM API keys (OpenAI, Anthropic, Azure OpenAI), and connected data sources — effectively full compromise of the AI orchestration layer. A public proof-of-concept exploit exists, lowering the exploitation bar to near-trivial despite the absence of a formal CVSS score, and with 16 prior CVEs in this package, Flowise's security track record compounds the urgency. Upgrade to Flowise 3.0.13 immediately, rotate all embedded credentials, and audit SSO configurations and access logs for unauthorized modifications since 2026-03-07.
Is CVE-2026-30823 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-30823, increasing the risk of exploitation.
How to fix CVE-2026-30823?
1. Upgrade to Flowise 3.0.13 immediately — the patch directly addresses the IDOR in account and SSO management endpoints. 2. Rotate all LLM API keys and credentials stored within Flowise flows (OpenAI, Anthropic, database URIs, etc.) as a precaution — assume they may have been exfiltrated. 3. Review and re-validate SSO configurations against your IdP; look for unauthorized identity provider additions or SAML/OIDC config changes. 4. Audit application access logs for IDOR exploitation patterns (sequential user ID enumeration in API calls) from 2026-03-07 onward. 5. If immediate patching is not possible, restrict Flowise access to internal networks or VPN-only and disable public endpoints until patched.
What systems are affected by CVE-2026-30823?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, RAG pipelines, enterprise SSO integrations.
What is the CVSS score for CVE-2026-30823?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0081 Modify AI Agent Configuration AML.T0083 Credentials from AI Agent Configuration AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13.
Exploitation Scenario
An adversary targeting an organization running Flowise to manage their LangChain-based RAG pipeline discovers the publicly accessible Flowise instance. Using the IDOR vulnerability, they manipulate user ID parameters in API requests — cycling through integer IDs — to access admin account settings without authentication. With admin control, they modify the SSO configuration to register their own identity provider, granting persistent backdoor access that survives password resets. They then enumerate all configured flows, extracting embedded OpenAI API keys, PostgreSQL connection strings for the vector database, and Slack webhook URLs. Stolen API keys are monetized by reselling LLM inference access, while database credentials enable exfiltration of the entire RAG knowledge base containing the organization's proprietary data.
Weaknesses (CWE)
CWE-639 Authorization Bypass Through User-Controlled Key
Primary
CWE-862 Missing Authorization
Primary
CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
- [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
- [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Source: MITRE CWE corpus.
References
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 Product Release
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm Exploit Vendor
Timeline
Related Vulnerabilities
CVE-2025-71338 10.0 Flowise: unauthenticated file write enables RCE
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise