CVE-2026-8026 — LOW (CVSS 3.7) AI Security Vulnerability

Q: Is CVE-2026-8026 actively exploited?

No confirmed active exploitation of CVE-2026-8026 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-8026?

1. Upgrade Flowise beyond 3.0.12 as soon as a patched release is published — monitor GHSA-8f47-4rh3-x44m for fix availability. 2. Until patched: restrict network-level access to the Flowise enterprise login endpoint to trusted IP ranges via firewall or reverse proxy ACLs. 3. Audit existing Flowise API logs for anomalous login request patterns that may indicate prior probing. 4. Rotate all API keys and credentials stored within Flowise flow configurations (LLM API keys, database credentials, webhook secrets) as a precaution. 5. Review API response sanitization in any self-hosted forks to confirm sensitive fields are stripped from error and auth response bodies.

Q: What systems are affected by CVE-2026-8026?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, low-code AI application builders.

Q: What is the CVSS score for CVE-2026-8026?

CVE-2026-8026 has a CVSS v3.1 base score of 3.7 (LOW). The EPSS exploitation probability is 0.01%.

CISO Take

FlowiseAI Flowise up to version 3.0.12 leaks sensitive information through its enterprise login API response handler, rooted in both improper information exposure (CWE-200) and cleartext storage of credentials (CWE-312). Although the CVSS base score is 3.7 (Low) and EPSS sits at 0.00012 in absolute terms, Flowise is a widely-deployed AI agent orchestration platform — exposed authentication material could grant an attacker direct control over LLM flows, connected data sources, and integrated tool APIs. With 61 CVEs already attributed to this package, the cumulative security debt is a meaningful flag for vendor risk assessments. No patched version is documented yet; operators should immediately restrict network access to the enterprise login endpoint, rotate any credentials stored in flow configurations, and monitor GHSA-8f47-4rh3-x44m for a fix release.

Sources: NVD EPSS GitHub Advisory ATLAS

Risk Assessment

Low absolute risk profile: CVSS 3.7, EPSS 0.00012 (roughly 0.012% 30-day exploitation probability), no CISA KEV listing, and no public exploit or scanner template available. The AC:H vector requires specific triggering conditions, reducing opportunistic exploitation. However, the underlying weakness — cleartext credential handling in an auth endpoint — has a higher effective impact than the base score implies if exploited in a production AI agent deployment. The package's history of 61 CVEs is a systemic indicator warranting heightened scrutiny during vendor risk reviews.

Attack Kill Chain

Discovery

Adversary identifies a publicly exposed Flowise enterprise instance via internet scanning tools, locating the enterprise login endpoint.

AML.T0006

Exploitation

Adversary sends crafted authentication requests to the enterprise login endpoint, triggering the API response handler to return sensitive data in its response body.

AML.T0049

Credential Harvesting

Cleartext credentials, session tokens, or internal user identifiers leaked in the API response are captured and recorded by the adversary.

AML.T0055

Agent Framework Compromise

Adversary authenticates to the Flowise dashboard using harvested credentials, gaining control over AI agent workflows, embedded LLM API keys, and all connected tool integrations.

AML.T0083

Discovery

Adversary identifies a publicly exposed Flowise enterprise instance via internet scanning tools, locating the enterprise login endpoint.

AML.T0006

Exploitation

Adversary sends crafted authentication requests to the enterprise login endpoint, triggering the API response handler to return sensitive data in its response body.

AML.T0049

Credential Harvesting

Cleartext credentials, session tokens, or internal user identifiers leaked in the API response are captured and recorded by the adversary.

AML.T0055

Agent Framework Compromise

Adversary authenticates to the Flowise dashboard using harvested credentials, gaining control over AI agent workflows, embedded LLM API keys, and all connected tool integrations.

AML.T0083

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.0.12	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

3.7 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C Low

I None

A None

Recommended Action

5 steps

Upgrade Flowise beyond 3.0.12 as soon as a patched release is published — monitor GHSA-8f47-4rh3-x44m for fix availability.
Until patched: restrict network-level access to the Flowise enterprise login endpoint to trusted IP ranges via firewall or reverse proxy ACLs.
Audit existing Flowise API logs for anomalous login request patterns that may indicate prior probing.
Rotate all API keys and credentials stored within Flowise flow configurations (LLM API keys, database credentials, webhook secrets) as a precaution.
Review API response sanitization in any self-hosted forks to confirm sensitive fields are stripped from error and auth response bodies.

Classification

Data Leakage Auth Bypass Agent Framework AML.T0006 - Active Scanning AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.8.2 - Data Security in AI Systems

NIST AI RMF

MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-8026?

FlowiseAI Flowise up to version 3.0.12 leaks sensitive information through its enterprise login API response handler, rooted in both improper information exposure (CWE-200) and cleartext storage of credentials (CWE-312). Although the CVSS base score is 3.7 (Low) and EPSS sits at 0.00012 in absolute terms, Flowise is a widely-deployed AI agent orchestration platform — exposed authentication material could grant an attacker direct control over LLM flows, connected data sources, and integrated tool APIs. With 61 CVEs already attributed to this package, the cumulative security debt is a meaningful flag for vendor risk assessments. No patched version is documented yet; operators should immediately restrict network access to the enterprise login endpoint, rotate any credentials stored in flow configurations, and monitor GHSA-8f47-4rh3-x44m for a fix release.

Is CVE-2026-8026 actively exploited?

No confirmed active exploitation of CVE-2026-8026 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8026?

1. Upgrade Flowise beyond 3.0.12 as soon as a patched release is published — monitor GHSA-8f47-4rh3-x44m for fix availability. 2. Until patched: restrict network-level access to the Flowise enterprise login endpoint to trusted IP ranges via firewall or reverse proxy ACLs. 3. Audit existing Flowise API logs for anomalous login request patterns that may indicate prior probing. 4. Rotate all API keys and credentials stored within Flowise flow configurations (LLM API keys, database credentials, webhook secrets) as a precaution. 5. Review API response sanitization in any self-hosted forks to confirm sensitive fields are stripped from error and auth response bodies.

What systems are affected by CVE-2026-8026?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, low-code AI application builders.

What is the CVSS score for CVE-2026-8026?

CVE-2026-8026 has a CVSS v3.1 base score of 3.7 (LOW). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.

Exploitation Scenario

An adversary discovers a publicly exposed Flowise enterprise instance via Shodan or Censys internet scanning, identifying the enterprise login endpoint. They send a series of crafted authentication requests with boundary-case or malformed inputs to packages/server/src/enterprise/services/account.service.ts. Due to insufficient output filtering in the API response handler, the server returns a response body containing cleartext credential fragments, internal user identifiers, or valid session tokens. The adversary extracts these and authenticates to the Flowise dashboard, gaining access to deployed LLM agent flows, embedded third-party API keys (OpenAI, Anthropic), and any connected databases or tools the flows orchestrate — effectively pivoting from a low-severity info disclosure into full agent framework compromise.