CVE-2026-46440: Flowise plaintext auth

CISO Take

Flowise's checkBasicAuth endpoint validates credentials in plaintext with no rate limiting or lockout, making it trivially brute-forceable by any attacker with network access to the management interface. CISOs running AI agent infrastructure on Flowise should treat this as urgent: a compromised instance typically exposes all stored API keys (OpenAI, Anthropic, etc.), database credentials, and the full set of agent workflows and tool integrations — handing an attacker the keys to the entire AI stack. No public exploit is listed and the vulnerability is not in CISA KEV, but the exploitation barrier is minimal — unauthenticated brute force requires no specialized tooling or AI/ML knowledge. Patch to Flowise 3.1.2 immediately and place the management interface behind a VPN or IP allowlist until upgraded.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH risk for organizations running internet-exposed Flowise instances prior to 3.1.2. The absence of rate limiting reduces exploitation to a trivial password spray requiring no specialized skills. Impact is severe because Flowise acts as an orchestration hub with wired-in credentials to downstream AI services, databases, and external APIs. CWE-522 (Insufficiently Protected Credentials) also raises the risk of credential interception over unencrypted connections. Risk is moderate for instances already restricted to internal networks or fronted by an authenticated reverse proxy.

How does the attack unfold?

Discovery

Attacker identifies an internet-exposed Flowise management interface via Shodan, Censys, or passive DNS enumeration targeting known Flowise default ports.

AML.T0006

Brute Force Auth

Attacker scripts rapid credential attempts against the /checkBasicAuth endpoint, exploiting the absence of rate limiting to brute-force valid credentials in minutes.

AML.T0049

Credential Harvesting

Authenticated attacker extracts all stored API keys and service credentials for LLM providers, vector databases, and integrations from the Flowise configuration.

AML.T0083

Workflow Manipulation

Attacker modifies production LLM flows to exfiltrate user data, inject malicious behavior into agent pipelines, or pivot to connected downstream AI services and databases.

AML.T0081

Discovery

Attacker identifies an internet-exposed Flowise management interface via Shodan, Censys, or passive DNS enumeration targeting known Flowise default ports.

AML.T0006

Brute Force Auth

Attacker scripts rapid credential attempts against the /checkBasicAuth endpoint, exploiting the absence of rate limiting to brute-force valid credentials in minutes.

AML.T0049

Credential Harvesting

Authenticated attacker extracts all stored API keys and service credentials for LLM providers, vector databases, and integrations from the Flowise configuration.

AML.T0083

Workflow Manipulation

Attacker modifies production LLM flows to exfiltrate user data, inject malicious behavior into agent pipelines, or pivot to connected downstream AI services and databases.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

PATCH

Upgrade to Flowise 3.1.2 immediately — this version resolves the plaintext credential validation and adds rate limiting to the auth endpoint.
NETWORK ISOLATION

Restrict the Flowise management UI to internal networks, VPN, or IP allowlist — it should never be directly internet-exposed.
CREDENTIAL ROTATION

If the instance was internet-accessible pre-patch, rotate all API keys stored in Flowise (LLM providers, vector DBs, integrations) as a precaution.
DETECTION

Review web and access logs for high-frequency requests to the /checkBasicAuth endpoint — burst traffic from a single IP is indicative of brute force.
AUDIT

If suspicious access is confirmed, review all flows and integrations for unauthorized modifications.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2.2 - Access Control — Authentication

NIST AI RMF

GOVERN 1.7 - Organizational Policies for AI Risk

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-46440?

Flowise's checkBasicAuth endpoint validates credentials in plaintext with no rate limiting or lockout, making it trivially brute-forceable by any attacker with network access to the management interface. CISOs running AI agent infrastructure on Flowise should treat this as urgent: a compromised instance typically exposes all stored API keys (OpenAI, Anthropic, etc.), database credentials, and the full set of agent workflows and tool integrations — handing an attacker the keys to the entire AI stack. No public exploit is listed and the vulnerability is not in CISA KEV, but the exploitation barrier is minimal — unauthenticated brute force requires no specialized tooling or AI/ML knowledge. Patch to Flowise 3.1.2 immediately and place the management interface behind a VPN or IP allowlist until upgraded.

Is CVE-2026-46440 actively exploited?

No confirmed active exploitation of CVE-2026-46440 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46440?

1. PATCH: Upgrade to Flowise 3.1.2 immediately — this version resolves the plaintext credential validation and adds rate limiting to the auth endpoint. 2. NETWORK ISOLATION: Restrict the Flowise management UI to internal networks, VPN, or IP allowlist — it should never be directly internet-exposed. 3. CREDENTIAL ROTATION: If the instance was internet-accessible pre-patch, rotate all API keys stored in Flowise (LLM providers, vector DBs, integrations) as a precaution. 4. DETECTION: Review web and access logs for high-frequency requests to the /checkBasicAuth endpoint — burst traffic from a single IP is indicative of brute force. 5. AUDIT: If suspicious access is confirmed, review all flows and integrations for unauthorized modifications.

What systems are affected by CVE-2026-46440?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM pipelines, RAG pipelines, chatbot backends, multi-agent orchestration.

What is the CVSS score for CVE-2026-46440?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM pipelinesRAG pipelineschatbot backendsmulti-agent orchestration

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.2

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker scans internet-facing services via Shodan to enumerate publicly accessible Flowise management interfaces — a common pattern given Flowise's popularity for rapid AI prototyping on cloud VMs left public. Finding a target, they script repeated POST requests to the /checkBasicAuth endpoint using a common credential wordlist. With no rate limiting or lockout enforced, a basic password spray completes in minutes. The attacker gains administrative access to the Flowise workspace, extracts the stored OpenAI and Anthropic API keys, and maps all connected services and workflows. They then modify a production RAG-backed customer chatbot flow to silently exfiltrate all user queries and LLM responses to an external endpoint, achieving persistent data collection without triggering any application-level alerts.