CVE-2026-56270: Flowise auth bypass exposes OAuth

CISO Take

Flowise versions 3.0.13 and earlier expose a completely unauthenticated GET endpoint at /api/v1/loginmethod that returns an organization's full SSO configuration—including OAuth client secrets for Google, Microsoft/Azure, GitHub, and Auth0—in cleartext to any caller who supplies an organizationId. With a CVSS 7.5 (network-accessible, zero privileges, zero user interaction) and a trivially simple one-request exploit path, this is a credential-harvesting primitive disguised as a configuration endpoint. Flowise is a widely-deployed AI agent orchestration platform with 104 prior CVEs, indicating a track record of security debt; any internet-exposed instance is a viable target for automated credential scraping. Immediate action: upgrade to Flowise 3.1.0; if patching is blocked, restrict or WAF-block the /api/v1/loginmethod endpoint and rotate all OAuth client secrets for affected identity providers immediately.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

HIGH. CVSS 7.5 network-accessible with no authentication or user interaction required makes this trivially exploitable at internet scale. The missing-authentication weakness (CWE-306) on a credential-serving endpoint is as severe as such flaws get short of RCE. The only friction is obtaining a valid organizationId, but tenant IDs are often guessable or inferable through other low-effort OSINT. OAuth client secrets for four major identity providers represent high-value, durable credentials that persist until explicitly rotated. Blast radius extends beyond Flowise itself into every downstream cloud service, API, and AI model connected via the compromised OAuth identities.

How does the attack unfold?

Discovery

Adversary identifies an internet-exposed Flowise instance via passive scanning (Shodan/Censys fingerprinting) or by targeting known Flowise deployments in the organization's asset inventory.

AML.T0006

Exploitation

Adversary sends a single unauthenticated GET request to /api/v1/loginmethod with a valid or enumerated organizationId parameter, bypassing all authentication controls.

AML.T0049

Credential Harvest

The endpoint returns the organization's complete SSO configuration in cleartext, including OAuth client secrets for Google, Microsoft/Azure, GitHub, and Auth0.

AML.T0083

Lateral Movement

Adversary uses harvested OAuth client secrets to authenticate as the Flowise application to connected identity providers, gaining access to downstream cloud services, AI APIs, code repositories, and enterprise data sources integrated with Flowise agents.

AML.T0012

Discovery

Adversary identifies an internet-exposed Flowise instance via passive scanning (Shodan/Censys fingerprinting) or by targeting known Flowise deployments in the organization's asset inventory.

AML.T0006

Exploitation

Adversary sends a single unauthenticated GET request to /api/v1/loginmethod with a valid or enumerated organizationId parameter, bypassing all authentication controls.

AML.T0049

Credential Harvest

The endpoint returns the organization's complete SSO configuration in cleartext, including OAuth client secrets for Google, Microsoft/Azure, GitHub, and Auth0.

AML.T0083

Lateral Movement

Adversary uses harvested OAuth client secrets to authenticate as the Flowise application to connected identity providers, gaining access to downstream cloud services, AI APIs, code repositories, and enterprise data sources integrated with Flowise agents.

AML.T0012

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

Upgrade Flowise to 3.1.0 immediately—this is the vendor-confirmed patched version.
If patching is delayed, block the /api/v1/loginmethod endpoint at the WAF or reverse-proxy layer (deny by default, no exceptions for unauthenticated callers).
Rotate all OAuth client secrets for Google, Microsoft/Azure, GitHub, and Auth0 integrations that were configured in any affected Flowise instance—treat all as compromised.
Search access logs for GET requests to /api/v1/loginmethod with an organizationId parameter; any such request from an unrecognized IP is a confirmed credential harvest attempt.
Audit IAM permissions granted to the OAuth applications connected to Flowise and revoke excess scopes.
For self-hosted instances, restrict API exposure to internal networks and enforce network-level authentication (VPN/mTLS) in front of the Flowise API surface.

How is it classified?

Auth Bypass Data Extraction Data Leakage Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.3 - AI system access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI system value and reduce negative impacts

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-56270?

Flowise versions 3.0.13 and earlier expose a completely unauthenticated GET endpoint at /api/v1/loginmethod that returns an organization's full SSO configuration—including OAuth client secrets for Google, Microsoft/Azure, GitHub, and Auth0—in cleartext to any caller who supplies an organizationId. With a CVSS 7.5 (network-accessible, zero privileges, zero user interaction) and a trivially simple one-request exploit path, this is a credential-harvesting primitive disguised as a configuration endpoint. Flowise is a widely-deployed AI agent orchestration platform with 104 prior CVEs, indicating a track record of security debt; any internet-exposed instance is a viable target for automated credential scraping. Immediate action: upgrade to Flowise 3.1.0; if patching is blocked, restrict or WAF-block the /api/v1/loginmethod endpoint and rotate all OAuth client secrets for affected identity providers immediately.

Is CVE-2026-56270 actively exploited?

No confirmed active exploitation of CVE-2026-56270 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56270?

1. Upgrade Flowise to 3.1.0 immediately—this is the vendor-confirmed patched version. 2. If patching is delayed, block the /api/v1/loginmethod endpoint at the WAF or reverse-proxy layer (deny by default, no exceptions for unauthenticated callers). 3. Rotate all OAuth client secrets for Google, Microsoft/Azure, GitHub, and Auth0 integrations that were configured in any affected Flowise instance—treat all as compromised. 4. Search access logs for GET requests to /api/v1/loginmethod with an organizationId parameter; any such request from an unrecognized IP is a confirmed credential harvest attempt. 5. Audit IAM permissions granted to the OAuth applications connected to Flowise and revoke excess scopes. 6. For self-hosted instances, restrict API exposure to internal networks and enforce network-level authentication (VPN/mTLS) in front of the Flowise API surface.

What systems are affected by CVE-2026-56270?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, Agent frameworks, Multi-tenant AI SaaS platforms, LLM application builders, SSO-integrated AI deployments.

What is the CVSS score for CVE-2026-56270?

CVE-2026-56270 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent orchestration platformsAgent frameworksMulti-tenant AI SaaS platformsLLM application buildersSSO-integrated AI deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter. Remote attackers can send a GET request to harvest sensitive API credentials for Google, Microsoft/Azure, GitHub, and Auth0 integrations. This affects FlowiseAI Cloud and self-hosted instances where the endpoint is exposed.

Exploitation Scenario

An adversary running an automated scanner identifies internet-exposed Flowise instances via Shodan or Censys by fingerprinting the Flowise login page or API responses. With a target URL confirmed, they enumerate organizationIds using sequential integers or UUIDs extracted from public Flowise demo instances or leaked configs. A single HTTP GET to /api/v1/loginmethod?organizationId=<id> returns the full SSO config JSON including OAuth client_id and client_secret in plaintext. The attacker registers these credentials against the respective identity provider OAuth APIs to obtain access tokens, then uses those tokens to authenticate into GitHub repositories containing AI model configs, Azure OpenAI deployments, or Google Workspace data that Flowise agents were authorized to access—establishing persistent access that survives any Flowise patch since the OAuth credentials remain valid until rotated.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.