CVE-2026-46444: Flowise missing authz on

CISO Take

Flowise, a widely-deployed open-source drag-and-drop LLM flow builder, fails to enforce authorization checks on all CRUD endpoints for its OpenAI Assistants Vector Store — any holder of a valid API key, regardless of intended privilege level, can read, modify, or delete vector store contents without restriction. Vector stores in Flowise deployments commonly underpin production RAG pipelines indexed with proprietary enterprise documents, making unauthorized access a direct path to sensitive data exfiltration or knowledge-base poisoning. No public exploit or CISA KEV entry exists yet, but exploitation is trivial for anyone with any API credential: a single HTTP request to `/api/v1/openai-assistants-vector-store` is sufficient. Organizations running Flowise prior to 3.1.2 should patch immediately; as an interim control, restrict the vector store API path at the reverse proxy layer to trusted source IPs only.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High. The attack surface is partially reduced by the API key requirement — the route is not publicly accessible without a credential — but API keys in Flowise deployments are frequently shared across development teams or embedded in downstream application configurations, making lateral access realistic. CWE-862 (Missing Authorization) represents a design flaw rather than an implementation bug, meaning all versions prior to 3.1.2 are fully affected with no partial mitigation possible short of network-level blocking. The direct impact on vector stores (RAG data integrity, confidentiality) elevates this beyond a typical access control gap in a standard web application.

How does the attack unfold?

Credential Acquisition

Attacker obtains any valid Flowise API key via leaked source code, exposed configuration files, or compromised developer credentials.

AML.T0055

Unauthorized Endpoint Access

Attacker sends authenticated requests to /api/v1/openai-assistants-vector-store; the missing authorization middleware allows all CRUD operations to proceed unchecked.

AML.T0049

Vector Store Exfiltration

Attacker enumerates and downloads all documents indexed in the vector store, extracting proprietary enterprise knowledge used to power the RAG assistant.

AML.T0085.000

RAG Poisoning or Destruction

Attacker injects malicious prompt injection payloads into vector store entries or bulk-deletes indexed data, corrupting AI responses for all downstream users or causing assistant failure.

AML.T0070

Credential Acquisition

Attacker obtains any valid Flowise API key via leaked source code, exposed configuration files, or compromised developer credentials.

AML.T0055

Unauthorized Endpoint Access

Attacker sends authenticated requests to /api/v1/openai-assistants-vector-store; the missing authorization middleware allows all CRUD operations to proceed unchecked.

AML.T0049

Vector Store Exfiltration

Attacker enumerates and downloads all documents indexed in the vector store, extracting proprietary enterprise knowledge used to power the RAG assistant.

AML.T0085.000

RAG Poisoning or Destruction

Attacker injects malicious prompt injection payloads into vector store entries or bulk-deletes indexed data, corrupting AI responses for all downstream users or causing assistant failure.

AML.T0070

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Upgrade to Flowise 3.1.2 — the only full remediation.
Until patched, configure your reverse proxy (nginx/Caddy) to block external access to the /api/v1/openai-assistants-vector-store path; allow only from trusted internal IP ranges.
Audit all active Flowise API keys and revoke any shared, embedded, or orphaned credentials.
Review vector store contents for unauthorized modifications or injected entries by comparing against known-good indexed documents.
Enable access logging on Flowise API calls and alert on unexpected CRUD requests to the vector store path.
If compromise is suspected, rebuild all vector stores from validated source documents and rotate all API keys.

How is it classified?

Auth Bypass Data Extraction Data Leakage Agent RAG Framework AML.T0012 - Valid Accounts AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application AML.T0070 - RAG Poisoning AML.T0085.000 - RAG Databases

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.8.4 - AI system access controls

NIST AI RMF

MANAGE 2.2 - Risk treatments include response and recovery

OWASP LLM Top 10

LLM08 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-46444?

Flowise, a widely-deployed open-source drag-and-drop LLM flow builder, fails to enforce authorization checks on all CRUD endpoints for its OpenAI Assistants Vector Store — any holder of a valid API key, regardless of intended privilege level, can read, modify, or delete vector store contents without restriction. Vector stores in Flowise deployments commonly underpin production RAG pipelines indexed with proprietary enterprise documents, making unauthorized access a direct path to sensitive data exfiltration or knowledge-base poisoning. No public exploit or CISA KEV entry exists yet, but exploitation is trivial for anyone with any API credential: a single HTTP request to `/api/v1/openai-assistants-vector-store` is sufficient. Organizations running Flowise prior to 3.1.2 should patch immediately; as an interim control, restrict the vector store API path at the reverse proxy layer to trusted source IPs only.

Is CVE-2026-46444 actively exploited?

No confirmed active exploitation of CVE-2026-46444 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46444?

1. Upgrade to Flowise 3.1.2 — the only full remediation. 2. Until patched, configure your reverse proxy (nginx/Caddy) to block external access to the `/api/v1/openai-assistants-vector-store` path; allow only from trusted internal IP ranges. 3. Audit all active Flowise API keys and revoke any shared, embedded, or orphaned credentials. 4. Review vector store contents for unauthorized modifications or injected entries by comparing against known-good indexed documents. 5. Enable access logging on Flowise API calls and alert on unexpected CRUD requests to the vector store path. 6. If compromise is suspected, rebuild all vector stores from validated source documents and rotate all API keys.

What systems are affected by CVE-2026-46444?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, vector databases, LLM application platforms.

What is the CVSS score for CVE-2026-46444?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksvector databasesLLM application platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0036 Data from Information Repositories

AML.T0049 Exploit Public-Facing Application

AML.T0070 RAG Poisoning

AML.T0085.000 RAG Databases

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker who has obtained any Flowise API key — whether through a leaked `.env` file in a public repo, a compromised developer account, or social engineering — sends a standard HTTP GET request to `/api/v1/openai-assistants-vector-store` with the key in the Authorization header. The server processes the request without any permission check and returns all vector store metadata. The attacker follows up with file-level read operations to extract indexed documents — potentially including internal policies, customer data, or proprietary research used in the organization's RAG assistant. They then craft replacement content containing indirect prompt injection payloads and upload it via the PUT/POST endpoints, poisoning future LLM responses for all users of the assistant without any visible system error or alert.