AI Threat Alert AI Threat Alert

CVE-2026-30824: Flowise: auth bypass exposes NVIDIA NIM container endpoints

CRITICAL PoC AVAILABLE
Published March 7, 2026
CISO Take

Flowise prior to version 3.0.13 contains a critical authentication bypass (CWE-306, CVSS 9.8) where the NVIDIA NIM router path `/api/v1/nvidia-nim/*` was whitelisted in the global auth middleware, leaving privileged container management and token generation endpoints fully accessible to unauthenticated network attackers. With a perfect exploitation profile — network-accessible, zero credentials required, zero user interaction, low complexity — and a public PoC already available, any internet-exposed Flowise instance should be treated as pre-compromised. Successful exploitation gives attackers control over LLM inference containers and the ability to generate API tokens, creating a direct foothold into AI inference infrastructure. Patch to version 3.0.13 immediately; if patching is delayed, block `/api/v1/nvidia-nim/*` at the network perimeter, restrict Flowise API exposure to internal networks only, and rotate any tokens that may have been generated during the exposure window.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Critical. CVSS 9.8 reflects the worst-case exploit profile: network-accessible, zero authentication required, zero user interaction, low attack complexity, with full confidentiality, integrity, and availability impact. A public PoC lowers the bar to script-kiddie level, making mass exploitation plausible. The package has 16 prior CVEs, indicating a pattern of security debt. Not yet in CISA KEV, but the combination of critical severity, public PoC, and unauthenticated network access makes active exploitation imminent. Any Flowise deployment exposed beyond a trusted network perimeter should be treated as at acute risk.

Affected Systems

Package Ecosystem Vulnerable Range Patched
flowise npm No patch
flowise npm No patch
flowise npm No patch

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
N/A
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

  1. Patch immediately: upgrade Flowise to version 3.0.13 or later per the official release at the GitHub advisory.
  2. If immediate patching is not possible, configure a reverse proxy (nginx, Caddy) or WAF rule to block all unauthenticated requests to `/api/v1/nvidia-nim/*` paths.
  3. Flowise APIs should never be internet-facing without authentication; restrict access to internal networks or place behind a VPN.
  4. Audit NVIDIA NIM access logs for anomalous activity and unauthorized token generation events predating patch application.
  5. Rotate all API tokens that could have been generated or exposed during the vulnerability window.
  6. Verify patch status by probing the `/api/v1/nvidia-nim/` endpoint path on all Flowise instances — a 401 response confirms auth is enforced.

Classification

Auth Bypass Code Execution Agent Inference Framework AML.T0034 AML.T0040 AML.T0049 AML.T0053 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.2 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to ensure that AI risks are tracked and managed
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.

Exploitation Scenario

An attacker uses Shodan or Censys to fingerprint internet-facing Flowise deployments running versions prior to 3.0.13. Armed with the public PoC from the GitHub advisory, they send unauthenticated HTTP GET/POST requests directly to `/api/v1/nvidia-nim/` management endpoints — no credentials, no user interaction required. They enumerate available container management operations, invoke token generation endpoints to mint valid API tokens for the NVIDIA NIM backend, and use those tokens to authenticate to inference infrastructure for further access. The entire attack chain runs in minutes, enabling lateral movement into GPU inference resources, exfiltration of model configurations, or sustained cost harvesting against the victim's NVIDIA NIM deployment.

Weaknesses (CWE)

CWE-306 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 7, 2026
Last Modified
March 11, 2026
First Seen
March 7, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2025-58434 9.8

Flowise: auth bypass in reset flow allows full ATO

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
HIGH CVE-2026-30820 8.8

Flowise: header spoof auth bypass exposes admin API & creds

Same package: flowise
Back to Threat Feed