CVE-2026-46443: Flowise stored credentials

CISO Take

Flowise versions prior to 3.1.2 fail to strip the encryptedData field from credential API responses when a credentialName filter parameter is supplied, allowing any caller with API access to retrieve raw encrypted credential blobs for stored integrations. In production Flowise deployments, these credentials typically include LLM provider API keys (OpenAI, Anthropic), database connection strings, and third-party service tokens — their exposure gives an attacker direct access to every downstream AI service integrated in the affected flows. No public exploit exists and this is not in CISA KEV, but exploitation requires only a single crafted API call, making the bar trivially low for any authenticated attacker or anyone reaching an improperly secured Flowise endpoint. Upgrade to Flowise 3.1.2 immediately, rotate all credentials stored in affected instances, and audit the credentials API access logs for filter-based calls from unexpected sources.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High risk for organizations running Flowise in production. The vulnerability is trivially exploitable — a single API call with a filter parameter is sufficient. The critical factor is access control: in self-hosted deployments (the most common Flowise configuration) where the API is exposed without strict auth middleware, external exploitation is straightforward. The real blast radius extends downstream: every API key and secret stored in Flowise is potentially compromised, which can cascade into full compromise of connected LLM providers and data stores. The absence of CVSS scoring reflects recency, not low severity.

How does the attack unfold?

Initial Access

Attacker gains access to Flowise instance via compromised user account, insider access, or a misconfigured publicly exposed endpoint lacking proper authentication.

AML.T0049

Credential Discovery

Attacker sends a GET request to the Flowise credentials API endpoint with a credentialName filter parameter, triggering the vulnerable code path that fails to strip the encryptedData field from the response.

AML.T0055

Data Exfiltration

The API response returns encryptedData blobs for stored credentials; attacker decrypts them using the Flowise instance encryption key to recover plaintext API keys, database passwords, and service tokens.

AML.T0025

Impact

Attacker uses recovered credentials to make unauthorized calls to LLM providers, access connected vector databases, and pivot to all downstream AI services integrated in the compromised Flowise flows.

AML.T0083

Initial Access

Attacker gains access to Flowise instance via compromised user account, insider access, or a misconfigured publicly exposed endpoint lacking proper authentication.

AML.T0049

Credential Discovery

Attacker sends a GET request to the Flowise credentials API endpoint with a credentialName filter parameter, triggering the vulnerable code path that fails to strip the encryptedData field from the response.

AML.T0055

Data Exfiltration

The API response returns encryptedData blobs for stored credentials; attacker decrypts them using the Flowise instance encryption key to recover plaintext API keys, database passwords, and service tokens.

AML.T0025

Impact

Attacker uses recovered credentials to make unauthorized calls to LLM providers, access connected vector databases, and pivot to all downstream AI services integrated in the compromised Flowise flows.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Upgrade Flowise to version 3.1.2 immediately — this is the patched release per the official advisory.
Treat all credentials stored in affected Flowise instances as compromised: rotate LLM provider API keys, database passwords, and service tokens.
Audit the credentials API endpoint access logs for GET requests that include credentialName filter parameters from unexpected IPs or time windows.
Restrict network access to Flowise: place behind authentication middleware and limit access to trusted networks or VPN.
Apply principle of least privilege to credential-reading roles in Flowise; review which accounts have API access.
If immediate patching is not feasible, block or rate-limit the credentials API endpoint at the network layer as a temporary workaround.

How is it classified?

Data Leakage Auth Bypass Agent Framework AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1.2 - Information security controls for AI systems

NIST AI RMF

MANAGE 2.4 - Residual risks and recovery procedures

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-46443?

Flowise versions prior to 3.1.2 fail to strip the encryptedData field from credential API responses when a credentialName filter parameter is supplied, allowing any caller with API access to retrieve raw encrypted credential blobs for stored integrations. In production Flowise deployments, these credentials typically include LLM provider API keys (OpenAI, Anthropic), database connection strings, and third-party service tokens — their exposure gives an attacker direct access to every downstream AI service integrated in the affected flows. No public exploit exists and this is not in CISA KEV, but exploitation requires only a single crafted API call, making the bar trivially low for any authenticated attacker or anyone reaching an improperly secured Flowise endpoint. Upgrade to Flowise 3.1.2 immediately, rotate all credentials stored in affected instances, and audit the credentials API access logs for filter-based calls from unexpected sources.

Is CVE-2026-46443 actively exploited?

No confirmed active exploitation of CVE-2026-46443 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46443?

1. Upgrade Flowise to version 3.1.2 immediately — this is the patched release per the official advisory. 2. Treat all credentials stored in affected Flowise instances as compromised: rotate LLM provider API keys, database passwords, and service tokens. 3. Audit the credentials API endpoint access logs for GET requests that include credentialName filter parameters from unexpected IPs or time windows. 4. Restrict network access to Flowise: place behind authentication middleware and limit access to trusted networks or VPN. 5. Apply principle of least privilege to credential-reading roles in Flowise; review which accounts have API access. 6. If immediate patching is not feasible, block or rate-limit the credentials API endpoint at the network layer as a temporary workaround.

What systems are affected by CVE-2026-46443?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM orchestration platforms, RAG pipelines, API integrations.

What is the CVSS score for CVE-2026-46443?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Agent frameworksLLM orchestration platformsRAG pipelinesAPI integrations

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.2

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is used but fails to do so when a filter is used. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker with access to a Flowise instance — via a compromised user account, a misconfigured publicly exposed deployment, or insider access — sends a crafted GET request to the credentials API endpoint appending a credentialName filter parameter. The vulnerable code path returns the full credential object including the encryptedData field, which the unfiltered path correctly strips. The attacker exfiltrates the encrypted blob and, using the Flowise encryption key obtained from the instance's .env file (readable on disk after host access or leaked via a second vulnerability), decrypts it to recover plaintext API keys. These keys are then used to make unauthorized LLM API calls at the victim's expense, exfiltrate data from connected vector databases, or pivot laterally to other services the keys grant access to — fully compromising the AI agent ecosystem built on that Flowise instance.