GHSA-4jpm-cgx2-8h37: Flowise unauth API exposes

Q: Is GHSA-4jpm-cgx2-8h37 actively exploited?

No confirmed active exploitation of GHSA-4jpm-cgx2-8h37 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-4jpm-cgx2-8h37?

1. Patch to Flowise 3.1.0 immediately — this is the only complete fix. 2. Audit all chatflows for stored credentials: check S3File nodes (unstructuredAPIKey), all Request nodes (Authorization headers), and any password-type fields. 3. Rotate every exposed API key and bearer token found in flowData. 4. If patching is not immediately possible, restrict network access to /api/v1/public-chatbotConfig/ at the reverse proxy or firewall layer (return 403 for all external requests). 5. Review embedded chat widgets and public-facing pages to assess chatflow UUID exposure. 6. Monitor access logs for unexpected calls to the public-chatbotConfig endpoint as an indicator of active exploitation.

Q: What systems are affected by GHSA-4jpm-cgx2-8h37?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, no-code AI builders, chatbot deployments, RAG pipelines.

Q: What is the CVSS score for GHSA-4jpm-cgx2-8h37?

No CVSS score has been assigned yet.

CISO Take

Flowise's public chatbot configuration endpoint returns the full workflow definition — including plaintext API keys and HTTP authorization headers — to any unauthenticated caller who knows a chatflow UUID. That UUID is trivially obtainable from embedded chat widgets, browser network traffic, or referrer headers, making this effectively a zero-prerequisite credential theft vulnerability. With 37 prior CVEs in the same package and no EPSS data yet available, the pattern of security debt in Flowise warrants treating all stored credentials as compromised until rotated. Patch immediately to Flowise 3.1.0 and rotate any API keys or bearer tokens stored in affected chatflows.

Sources: GitHub Advisory ATLAS

What is the risk?

High risk due to zero authentication requirement and high credential impact. The attack surface is wide: any Flowise instance (cloud or self-hosted) with internet-exposed chatflows and credentials stored in workflow nodes is vulnerable. The chatflow UUID — the sole prerequisite — is frequently public via embedded widgets. Exploitation requires no AI/ML expertise, placing this firmly in script-kiddie territory. The blast radius extends beyond Flowise itself to every downstream service whose credentials are stored in workflows (S3, external APIs, webhooks), enabling lateral movement.

How does the attack unfold?

UUID Discovery

Attacker extracts the chatflow UUID from a public-facing chat widget embed code, browser network traffic, or referrer headers — no authentication or special access required.

AML.T0003

Unauthenticated API Exploitation

Attacker issues a single GET request to /api/v1/public-chatbotConfig/{UUID}, bypassing all authentication to receive the complete flowData configuration object.

AML.T0049

Credential Extraction

Attacker parses the flowData JSON to extract plaintext API keys from password-type fields and bearer tokens from HTTP Authorization headers stored in workflow nodes.

AML.T0083

Lateral Movement and Impact

Stolen credentials are used to authenticate to connected services (S3, external APIs, webhooks), enabling data exfiltration, unauthorized AI API usage, or further infrastructure compromise.

AML.T0025

UUID Discovery

Attacker extracts the chatflow UUID from a public-facing chat widget embed code, browser network traffic, or referrer headers — no authentication or special access required.

AML.T0003

Unauthenticated API Exploitation

Attacker issues a single GET request to /api/v1/public-chatbotConfig/{UUID}, bypassing all authentication to receive the complete flowData configuration object.

AML.T0049

Credential Extraction

Attacker parses the flowData JSON to extract plaintext API keys from password-type fields and bearer tokens from HTTP Authorization headers stored in workflow nodes.

AML.T0083

Lateral Movement and Impact

Stolen credentials are used to authenticate to connected services (S3, external APIs, webhooks), enabling data exfiltration, unauthorized AI API usage, or further infrastructure compromise.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	<= 3.0.13	`3.1.0`

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch to Flowise 3.1.0 immediately — this is the only complete fix.
Audit all chatflows for stored credentials: check S3File nodes (unstructuredAPIKey), all Request nodes (Authorization headers), and any password-type fields.
Rotate every exposed API key and bearer token found in flowData.
If patching is not immediately possible, restrict network access to /api/v1/public-chatbotConfig/ at the reverse proxy or firewall layer (return 403 for all external requests).
Review embedded chat widgets and public-facing pages to assess chatflow UUID exposure.
Monitor access logs for unexpected calls to the public-chatbotConfig endpoint as an indicator of active exploitation.

How is it classified?

Auth Bypass Data Extraction Data Leakage Agent Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

A.9.2 - Access Control for AI Systems A.9.4 - Protection of AI System Information

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI risk MANAGE-2.2 - Risk treatment and monitoring

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-4jpm-cgx2-8h37?

Flowise's public chatbot configuration endpoint returns the full workflow definition — including plaintext API keys and HTTP authorization headers — to any unauthenticated caller who knows a chatflow UUID. That UUID is trivially obtainable from embedded chat widgets, browser network traffic, or referrer headers, making this effectively a zero-prerequisite credential theft vulnerability. With 37 prior CVEs in the same package and no EPSS data yet available, the pattern of security debt in Flowise warrants treating all stored credentials as compromised until rotated. Patch immediately to Flowise 3.1.0 and rotate any API keys or bearer tokens stored in affected chatflows.

Is GHSA-4jpm-cgx2-8h37 actively exploited?

No confirmed active exploitation of GHSA-4jpm-cgx2-8h37 has been reported, but organizations should still patch proactively.

How to fix GHSA-4jpm-cgx2-8h37?

1. Patch to Flowise 3.1.0 immediately — this is the only complete fix. 2. Audit all chatflows for stored credentials: check S3File nodes (unstructuredAPIKey), all Request nodes (Authorization headers), and any password-type fields. 3. Rotate every exposed API key and bearer token found in flowData. 4. If patching is not immediately possible, restrict network access to /api/v1/public-chatbotConfig/ at the reverse proxy or firewall layer (return 403 for all external requests). 5. Review embedded chat widgets and public-facing pages to assess chatflow UUID exposure. 6. Monitor access logs for unexpected calls to the public-chatbotConfig endpoint as an indicator of active exploitation.

What systems are affected by GHSA-4jpm-cgx2-8h37?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, no-code AI builders, chatbot deployments, RAG pipelines.

What is the CVSS score for GHSA-4jpm-cgx2-8h37?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow automationno-code AI builderschatbot deploymentsRAG pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.9.2, A.9.4

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

### Summary `/api/v1/public-chatbotConfig/:id `ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. ### Details Knowledge of chatflow UUID can be obtained from embedded chat widgets, referrer headers or logs and it's the only prerequest. `getSinglePublicChatbotConfig` function in `packages/server/src/services/chatflows/index.ts` returns the full **flowData** object without authorization check or data sanitization. There is a comment as **"Safe as public endpoint as chatbotConfig doesn't contain sensitive credential"** but **flowData** does contain sensitive data such as: `type: 'password'` fields are stored in plaintext (unstructuredAPIKey in S3File node). HTTP Authorization headers in POST / GET Requests nodes. Internal API endpoints and webhook URLs. ### PoC - Add an S3 File node, set "File Processing Method" to "Unstructured". - Enter an API key in "Unstructured API KEY" field or add a Requests Post node with Authorization header. - Save the chatflow. `curl -s "https://localhost/api/v1/public-chatbotConfig/{CHATFLOW_UUID}"` Response: ``` { "flowData": "{...\"unstructuredAPIKey\":\"victim_key\"...\"requestsPostHeaders\":\"Bearer victim_token\"...}" } ``` ### Impact Impacts all Flowise Cloud users with chatflows containing password type fields or any HTTP headers. And self hosted Flowise instances exposed to the internet.

Exploitation Scenario

An attacker identifies a victim company using Flowise by finding an embedded chat widget on their website. The attacker extracts the chatflow UUID from the widget's JavaScript initialization code or intercepts it via browser DevTools network tab — no authentication required. They issue a single unauthenticated curl request to /api/v1/public-chatbotConfig/{UUID} and receive the full flowData JSON response containing plaintext AWS S3 credentials via the Unstructured node and a Bearer token for an internal API. The attacker uses the S3 credentials to exfiltrate sensitive documents and the Bearer token to access internal tooling, all without ever interacting with the AI model itself.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-522 Insufficiently Protected Credentials Primary CWE-862 Missing Authorization Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.