CVE-2026-30824: Flowise: auth bypass exposes NVIDIA NIM container endpoints

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published March 7, 2026
CISO Take

Flowise prior to version 3.0.13 contains a critical authentication bypass (CWE-306, CVSS 9.8) where the NVIDIA NIM router path `/api/v1/nvidia-nim/*` was whitelisted in the global auth middleware, leaving privileged container management and token generation endpoints fully accessible to unauthenticated network attackers. With a perfect exploitation profile — network-accessible, zero credentials required, zero user interaction, low complexity — and a public PoC already available, any internet-exposed Flowise instance should be treated as pre-compromised. Successful exploitation gives attackers control over LLM inference containers and the ability to generate API tokens, creating a direct foothold into AI inference infrastructure. Patch to version 3.0.13 immediately; if patching is delayed, block `/api/v1/nvidia-nim/*` at the network perimeter, restrict Flowise API exposure to internal networks only, and rotate any tokens that may have been generated during the exposure window.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.8 reflects the worst-case exploit profile: network-accessible, zero authentication required, zero user interaction, low attack complexity, with full confidentiality, integrity, and availability impact. A public PoC lowers the bar to script-kiddie level, making mass exploitation plausible. The package has 16 prior CVEs, indicating a pattern of security debt. Not yet in CISA KEV, but the combination of critical severity, public PoC, and unauthenticated network access makes active exploitation imminent. Any Flowise deployment exposed beyond a trusted network perimeter should be treated as at acute risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
36.3%
chance of exploitation in 30 days
Higher than 98% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 36%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps
  1. Patch immediately: upgrade Flowise to version 3.0.13 or later per the official release at the GitHub advisory.

  2. If immediate patching is not possible, configure a reverse proxy (nginx, Caddy) or WAF rule to block all unauthenticated requests to /api/v1/nvidia-nim/* paths.

  3. Flowise APIs should never be internet-facing without authentication; restrict access to internal networks or place behind a VPN.

  4. Audit NVIDIA NIM access logs for anomalous activity and unauthorized token generation events predating patch application.

  5. Rotate all API tokens that could have been generated or exposed during the vulnerability window.

  6. Verify patch status by probing the /api/v1/nvidia-nim/ endpoint path on all Flowise instances — a 401 response confirms auth is enforced.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.2 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to ensure that AI risks are tracked and managed
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-30824?

Flowise prior to version 3.0.13 contains a critical authentication bypass (CWE-306, CVSS 9.8) where the NVIDIA NIM router path `/api/v1/nvidia-nim/*` was whitelisted in the global auth middleware, leaving privileged container management and token generation endpoints fully accessible to unauthenticated network attackers. With a perfect exploitation profile — network-accessible, zero credentials required, zero user interaction, low complexity — and a public PoC already available, any internet-exposed Flowise instance should be treated as pre-compromised. Successful exploitation gives attackers control over LLM inference containers and the ability to generate API tokens, creating a direct foothold into AI inference infrastructure. Patch to version 3.0.13 immediately; if patching is delayed, block `/api/v1/nvidia-nim/*` at the network perimeter, restrict Flowise API exposure to internal networks only, and rotate any tokens that may have been generated during the exposure window.

Is CVE-2026-30824 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-30824, increasing the risk of exploitation.

How to fix CVE-2026-30824?

1. Patch immediately: upgrade Flowise to version 3.0.13 or later per the official release at the GitHub advisory. 2. If immediate patching is not possible, configure a reverse proxy (nginx, Caddy) or WAF rule to block all unauthenticated requests to `/api/v1/nvidia-nim/*` paths. 3. Flowise APIs should never be internet-facing without authentication; restrict access to internal networks or place behind a VPN. 4. Audit NVIDIA NIM access logs for anomalous activity and unauthorized token generation events predating patch application. 5. Rotate all API tokens that could have been generated or exposed during the vulnerability window. 6. Verify patch status by probing the `/api/v1/nvidia-nim/` endpoint path on all Flowise instances — a 401 response confirms auth is enforced.

What systems are affected by CVE-2026-30824?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow platforms, NVIDIA NIM inference deployments, Container-based AI inference infrastructure, Agent frameworks, No-code AI pipeline builders.

What is the CVSS score for CVE-2026-30824?

CVE-2026-30824 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 36.25%.

What is the AI security impact?

Affected AI Architectures

LLM workflow platformsNVIDIA NIM inference deploymentsContainer-based AI inference infrastructureAgent frameworksNo-code AI pipeline builders

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.

Exploitation Scenario

An attacker uses Shodan or Censys to fingerprint internet-facing Flowise deployments running versions prior to 3.0.13. Armed with the public PoC from the GitHub advisory, they send unauthenticated HTTP GET/POST requests directly to `/api/v1/nvidia-nim/` management endpoints — no credentials, no user interaction required. They enumerate available container management operations, invoke token generation endpoints to mint valid API tokens for the NVIDIA NIM backend, and use those tokens to authenticate to inference infrastructure for further access. The entire attack chain runs in minutes, enabling lateral movement into GPU inference resources, exfiltration of model configurations, or sustained cost harvesting against the victim's NVIDIA NIM deployment.

Weaknesses (CWE)

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
March 7, 2026
Last Modified
March 11, 2026
First Seen
March 7, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2026/CVE-2026-30824.yaml -u https://target.example.com

Related Vulnerabilities