CVE-2026-30824: Flowise: auth bypass exposes NVIDIA NIM container endpoints
CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*Flowise prior to version 3.0.13 contains a critical authentication bypass (CWE-306, CVSS 9.8) where the NVIDIA NIM router path `/api/v1/nvidia-nim/*` was whitelisted in the global auth middleware, leaving privileged container management and token generation endpoints fully accessible to unauthenticated network attackers. With a perfect exploitation profile — network-accessible, zero credentials required, zero user interaction, low complexity — and a public PoC already available, any internet-exposed Flowise instance should be treated as pre-compromised. Successful exploitation gives attackers control over LLM inference containers and the ability to generate API tokens, creating a direct foothold into AI inference infrastructure. Patch to version 3.0.13 immediately; if patching is delayed, block `/api/v1/nvidia-nim/*` at the network perimeter, restrict Flowise API exposure to internal networks only, and rotate any tokens that may have been generated during the exposure window.
What is the risk?
Critical. CVSS 9.8 reflects the worst-case exploit profile: network-accessible, zero authentication required, zero user interaction, low attack complexity, with full confidentiality, integrity, and availability impact. A public PoC lowers the bar to script-kiddie level, making mass exploitation plausible. The package has 16 prior CVEs, indicating a pattern of security debt. Not yet in CISA KEV, but the combination of critical severity, public PoC, and unauthenticated network access makes active exploitation imminent. Any Flowise deployment exposed beyond a trusted network perimeter should be treated as at acute risk.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | — | No patch |
Do you use Flowise? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch immediately: upgrade Flowise to version 3.0.13 or later per the official release at the GitHub advisory.
-
If immediate patching is not possible, configure a reverse proxy (nginx, Caddy) or WAF rule to block all unauthenticated requests to
/api/v1/nvidia-nim/*paths. -
Flowise APIs should never be internet-facing without authentication; restrict access to internal networks or place behind a VPN.
-
Audit NVIDIA NIM access logs for anomalous activity and unauthorized token generation events predating patch application.
-
Rotate all API tokens that could have been generated or exposed during the vulnerability window.
-
Verify patch status by probing the
/api/v1/nvidia-nim/endpoint path on all Flowise instances — a 401 response confirms auth is enforced.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-30824?
Flowise prior to version 3.0.13 contains a critical authentication bypass (CWE-306, CVSS 9.8) where the NVIDIA NIM router path `/api/v1/nvidia-nim/*` was whitelisted in the global auth middleware, leaving privileged container management and token generation endpoints fully accessible to unauthenticated network attackers. With a perfect exploitation profile — network-accessible, zero credentials required, zero user interaction, low complexity — and a public PoC already available, any internet-exposed Flowise instance should be treated as pre-compromised. Successful exploitation gives attackers control over LLM inference containers and the ability to generate API tokens, creating a direct foothold into AI inference infrastructure. Patch to version 3.0.13 immediately; if patching is delayed, block `/api/v1/nvidia-nim/*` at the network perimeter, restrict Flowise API exposure to internal networks only, and rotate any tokens that may have been generated during the exposure window.
Is CVE-2026-30824 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-30824, increasing the risk of exploitation.
How to fix CVE-2026-30824?
1. Patch immediately: upgrade Flowise to version 3.0.13 or later per the official release at the GitHub advisory. 2. If immediate patching is not possible, configure a reverse proxy (nginx, Caddy) or WAF rule to block all unauthenticated requests to `/api/v1/nvidia-nim/*` paths. 3. Flowise APIs should never be internet-facing without authentication; restrict access to internal networks or place behind a VPN. 4. Audit NVIDIA NIM access logs for anomalous activity and unauthorized token generation events predating patch application. 5. Rotate all API tokens that could have been generated or exposed during the vulnerability window. 6. Verify patch status by probing the `/api/v1/nvidia-nim/` endpoint path on all Flowise instances — a 401 response confirms auth is enforced.
What systems are affected by CVE-2026-30824?
This vulnerability affects the following AI/ML architecture patterns: LLM workflow platforms, NVIDIA NIM inference deployments, Container-based AI inference infrastructure, Agent frameworks, No-code AI pipeline builders.
What is the CVSS score for CVE-2026-30824?
CVE-2026-30824 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 36.25%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0034 Cost Harvesting AML.T0040 AI Model Inference API Access AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.
Exploitation Scenario
An attacker uses Shodan or Censys to fingerprint internet-facing Flowise deployments running versions prior to 3.0.13. Armed with the public PoC from the GitHub advisory, they send unauthenticated HTTP GET/POST requests directly to `/api/v1/nvidia-nim/` management endpoints — no credentials, no user interaction required. They enumerate available container management operations, invoke token generation endpoints to mint valid API tokens for the NVIDIA NIM backend, and use those tokens to authenticate to inference infrastructure for further access. The entire attack chain runs in minutes, enabling lateral movement into GPU inference resources, exfiltration of model configurations, or sustained cost harvesting against the victim's NVIDIA NIM deployment.
Weaknesses (CWE)
CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 Product Release
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454 Exploit Vendor
Timeline
Scanner Template Available
A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.
View template on GitHubnuclei -t http/cves/2026/CVE-2026-30824.yaml -u https://target.example.com Related Vulnerabilities
CVE-2025-71338 10.0 Flowise: unauthenticated file write enables RCE
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise