AI Threat Alert

CVE-2026-8026: Flowise: info disclosure via login API response handler

GHSA-8f47-4rh3-x44m LOW CISA: TRACK*
Published May 6, 2026
CISO Take

FlowiseAI Flowise up to version 3.0.12 leaks sensitive information through its enterprise login API response handler, rooted in both improper information exposure (CWE-200) and cleartext storage of credentials (CWE-312). Although the CVSS base score is 3.7 (Low) and EPSS sits at 0.00012 in absolute terms, Flowise is a widely-deployed AI agent orchestration platform — exposed authentication material could grant an attacker direct control over LLM flows, connected data sources, and integrated tool APIs. With 61 CVEs already attributed to this package, the cumulative security debt is a meaningful flag for vendor risk assessments. No patched version is documented yet; operators should immediately restrict network access to the enterprise login endpoint, rotate any credentials stored in flow configurations, and monitor GHSA-8f47-4rh3-x44m for a fix release.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

Low absolute risk profile: CVSS 3.7, EPSS 0.00012 (roughly 0.012% 30-day exploitation probability), no CISA KEV listing, and no public exploit or scanner template available. The AC:H vector requires specific triggering conditions, reducing opportunistic exploitation. However, the underlying weakness — cleartext credential handling in an auth endpoint — has a higher effective impact than the base score implies if exploited in a production AI agent deployment. The package's history of 61 CVEs is a systemic indicator warranting heightened scrutiny during vendor risk reviews.

How does the attack unfold?

Discovery
Adversary identifies a publicly exposed Flowise enterprise instance via internet scanning tools, locating the enterprise login endpoint.
AML.T0006
Exploitation
Adversary sends crafted authentication requests to the enterprise login endpoint, triggering the API response handler to return sensitive data in its response body.
AML.T0049
Credential Harvesting
Cleartext credentials, session tokens, or internal user identifiers leaked in the API response are captured and recorded by the adversary.
AML.T0055
Agent Framework Compromise
Adversary authenticates to the Flowise dashboard using harvested credentials, gaining control over AI agent workflows, embedded LLM API keys, and all connected tool integrations.
AML.T0083

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm <= 3.0.12 No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
3.7 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C Low
I None
A None

What should I do?

5 steps

  1. Upgrade Flowise beyond 3.0.12 as soon as a patched release is published — monitor GHSA-8f47-4rh3-x44m for fix availability.

  2. Until patched: restrict network-level access to the Flowise enterprise login endpoint to trusted IP ranges via firewall or reverse proxy ACLs.

  3. Audit existing Flowise API logs for anomalous login request patterns that may indicate prior probing.

  4. Rotate all API keys and credentials stored within Flowise flow configurations (LLM API keys, database credentials, webhook secrets) as a precaution.

  5. Review API response sanitization in any self-hosted forks to confirm sensitive fields are stripped from error and auth response bodies.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Auth Bypass Agent Framework AML.T0006 AML.T0049 AML.T0055 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.8.2 - Data Security in AI Systems
NIST AI RMF
MANAGE 2.4 - Residual risks are managed
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-8026?

FlowiseAI Flowise up to version 3.0.12 leaks sensitive information through its enterprise login API response handler, rooted in both improper information exposure (CWE-200) and cleartext storage of credentials (CWE-312). Although the CVSS base score is 3.7 (Low) and EPSS sits at 0.00012 in absolute terms, Flowise is a widely-deployed AI agent orchestration platform — exposed authentication material could grant an attacker direct control over LLM flows, connected data sources, and integrated tool APIs. With 61 CVEs already attributed to this package, the cumulative security debt is a meaningful flag for vendor risk assessments. No patched version is documented yet; operators should immediately restrict network access to the enterprise login endpoint, rotate any credentials stored in flow configurations, and monitor GHSA-8f47-4rh3-x44m for a fix release.

Is CVE-2026-8026 actively exploited?

No confirmed active exploitation of CVE-2026-8026 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8026?

1. Upgrade Flowise beyond 3.0.12 as soon as a patched release is published — monitor GHSA-8f47-4rh3-x44m for fix availability. 2. Until patched: restrict network-level access to the Flowise enterprise login endpoint to trusted IP ranges via firewall or reverse proxy ACLs. 3. Audit existing Flowise API logs for anomalous login request patterns that may indicate prior probing. 4. Rotate all API keys and credentials stored within Flowise flow configurations (LLM API keys, database credentials, webhook secrets) as a precaution. 5. Review API response sanitization in any self-hosted forks to confirm sensitive fields are stripped from error and auth response bodies.

What systems are affected by CVE-2026-8026?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, low-code AI application builders.

What is the CVSS score for CVE-2026-8026?

CVE-2026-8026 has a CVSS v3.1 base score of 3.7 (LOW). The EPSS exploitation probability is 0.26%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformslow-code AI application builders

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.8.2
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.

Exploitation Scenario

An adversary discovers a publicly exposed Flowise enterprise instance via Shodan or Censys internet scanning, identifying the enterprise login endpoint. They send a series of crafted authentication requests with boundary-case or malformed inputs to packages/server/src/enterprise/services/account.service.ts. Due to insufficient output filtering in the API response handler, the server returns a response body containing cleartext credential fragments, internal user identifiers, or valid session tokens. The adversary extracts these and authenticates to the Flowise dashboard, gaining access to deployed LLM agent flows, embedded third-party API keys (OpenAI, Anthropic), and any connected databases or tools the flows orchestrate — effectively pivoting from a low-severity info disclosure into full agent framework compromise.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-312 Cleartext Storage of Sensitive Information Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
May 6, 2026
Last Modified
May 12, 2026
First Seen
May 13, 2026

Related Vulnerabilities

CRITICAL CVE-2025-71338 10.0

Flowise: unauthenticated file write enables RCE

Same package: flowise
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2026-46442 9.9

Flowise: sandbox escape enables authenticated RCE

Same package: flowise
Back to Threat Feed