CVE-2026-30824 — CRITICAL (CVSS 9.8)

CISO Take

Flowise prior to version 3.0.13 contains a critical authentication bypass (CWE-306, CVSS 9.8) where the NVIDIA NIM router path `/api/v1/nvidia-nim/*` was whitelisted in the global auth middleware, leaving privileged container management and token generation endpoints fully accessible to unauthenticated network attackers. With a perfect exploitation profile — network-accessible, zero credentials required, zero user interaction, low complexity — and a public PoC already available, any internet-exposed Flowise instance should be treated as pre-compromised. Successful exploitation gives attackers control over LLM inference containers and the ability to generate API tokens, creating a direct foothold into AI inference infrastructure. Patch to version 3.0.13 immediately; if patching is delayed, block `/api/v1/nvidia-nim/*` at the network perimeter, restrict Flowise API exposure to internal networks only, and rotate any tokens that may have been generated during the exposure window.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.8 reflects the worst-case exploit profile: network-accessible, zero authentication required, zero user interaction, low attack complexity, with full confidentiality, integrity, and availability impact. A public PoC lowers the bar to script-kiddie level, making mass exploitation plausible. The package has 16 prior CVEs, indicating a pattern of security debt. Not yet in CISA KEV, but the combination of critical severity, public PoC, and unauthenticated network access makes active exploitation imminent. Any Flowise deployment exposed beyond a trusted network perimeter should be treated as at acute risk.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

13.1%

chance of exploitation in 30 days

Higher than 94% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 13%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch immediately: upgrade Flowise to version 3.0.13 or later per the official release at the GitHub advisory.
If immediate patching is not possible, configure a reverse proxy (nginx, Caddy) or WAF rule to block all unauthenticated requests to /api/v1/nvidia-nim/* paths.
Flowise APIs should never be internet-facing without authentication; restrict access to internal networks or place behind a VPN.
Audit NVIDIA NIM access logs for anomalous activity and unauthorized token generation events predating patch application.
Rotate all API tokens that could have been generated or exposed during the vulnerability window.
Verify patch status by probing the /api/v1/nvidia-nim/ endpoint path on all Flowise instances — a 401 response confirms auth is enforced.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Agent Inference Framework AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.2 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to ensure that AI risks are tracked and managed

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-30824?

Flowise prior to version 3.0.13 contains a critical authentication bypass (CWE-306, CVSS 9.8) where the NVIDIA NIM router path `/api/v1/nvidia-nim/*` was whitelisted in the global auth middleware, leaving privileged container management and token generation endpoints fully accessible to unauthenticated network attackers. With a perfect exploitation profile — network-accessible, zero credentials required, zero user interaction, low complexity — and a public PoC already available, any internet-exposed Flowise instance should be treated as pre-compromised. Successful exploitation gives attackers control over LLM inference containers and the ability to generate API tokens, creating a direct foothold into AI inference infrastructure. Patch to version 3.0.13 immediately; if patching is delayed, block `/api/v1/nvidia-nim/*` at the network perimeter, restrict Flowise API exposure to internal networks only, and rotate any tokens that may have been generated during the exposure window.

Is CVE-2026-30824 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-30824, increasing the risk of exploitation.

How to fix CVE-2026-30824?

1. Patch immediately: upgrade Flowise to version 3.0.13 or later per the official release at the GitHub advisory. 2. If immediate patching is not possible, configure a reverse proxy (nginx, Caddy) or WAF rule to block all unauthenticated requests to `/api/v1/nvidia-nim/*` paths. 3. Flowise APIs should never be internet-facing without authentication; restrict access to internal networks or place behind a VPN. 4. Audit NVIDIA NIM access logs for anomalous activity and unauthorized token generation events predating patch application. 5. Rotate all API tokens that could have been generated or exposed during the vulnerability window. 6. Verify patch status by probing the `/api/v1/nvidia-nim/` endpoint path on all Flowise instances — a 401 response confirms auth is enforced.

What systems are affected by CVE-2026-30824?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow platforms, NVIDIA NIM inference deployments, Container-based AI inference infrastructure, Agent frameworks, No-code AI pipeline builders.

What is the CVSS score for CVE-2026-30824?

CVE-2026-30824 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 13.10%.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.

Exploitation Scenario

An attacker uses Shodan or Censys to fingerprint internet-facing Flowise deployments running versions prior to 3.0.13. Armed with the public PoC from the GitHub advisory, they send unauthenticated HTTP GET/POST requests directly to `/api/v1/nvidia-nim/` management endpoints — no credentials, no user interaction required. They enumerate available container management operations, invoke token generation endpoints to mint valid API tokens for the NVIDIA NIM backend, and use those tokens to authenticate to inference infrastructure for further access. The entire attack chain runs in minutes, enabling lateral movement into GPU inference resources, exfiltration of model configurations, or sustained cost harvesting against the victim's NVIDIA NIM deployment.