AI Threat Alert
GHSA-5fw2-mwhh-9947: Flowise: unauth TTS endpoint exposes stored AI API keys
GHSA-5fw2-mwhh-9947 HIGHA Flowise text-to-speech endpoint is whitelisted from authentication, allowing any unauthenticated attacker to supply an arbitrary credentialId and trigger server-side decryption and use of stored AI provider credentials—OpenAI, ElevenLabs, Azure Cognitive, or Google Cloud—entirely at the victim's expense. Flowise carries 59 CVEs in this same package, signaling systemic security debt that should prompt elevated scrutiny of any self-hosted deployment, and the existence of a companion credential-ID discovery finding described in the advisory makes chained exploitation trivially accessible. No EPSS or KEV data exists yet, but the exploitation barrier is a single unauthenticated POST request—zero AI knowledge required—making this a realistic candidate for automated scanning tooling the moment enumeration vectors circulate publicly. Upgrade to Flowise 3.1.0 immediately; as an interim control, block POST requests to /api/v1/text-to-speech/generate at the WAF or reverse proxy, and rotate all AI provider API keys stored in the platform.
What is the risk?
High risk for organizations self-hosting Flowise in internet-exposed or partially-trusted network segments. CWE-639 (Authorization Bypass Through User-Controlled Key) is a classic IDOR-class flaw requiring zero authentication and zero AI/ML knowledge to exploit—any attacker reaching the endpoint with a valid credentialId can weaponize stored credentials immediately. The 59 other CVEs in this package indicate a pattern of insufficient security review, substantially increasing the likelihood that companion credential-disclosure findings exist or will emerge, enabling chained exploitation that makes this more dangerous than a standalone finding.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | <= 3.0.13 | 3.1.0 |
Do you use Flowise? You're affected.
How severe is it?
What should I do?
5 steps-
Patch immediately: upgrade Flowise to 3.1.0, which enforces chatflow-scoped credential validation or removes the TTS endpoint from WHITELIST_URLS.
-
Interim network control: add a WAF or reverse-proxy rule blocking POST requests to /api/v1/text-to-speech/generate from unauthenticated or external sources until patching is complete.
-
Credential rotation: rotate all AI provider API keys stored in Flowise (OpenAI, ElevenLabs, Azure, Google) and audit provider-side usage logs for anomalous TTS activity over the past 30 days.
-
Network hardening: confirm Flowise instances are not directly internet-exposed; enforce VPN or mTLS for all API and admin access.
-
Credential audit: enumerate the Flowise credential store, remove unused credentials, and apply least-privilege scoping to all stored API keys.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-5fw2-mwhh-9947?
A Flowise text-to-speech endpoint is whitelisted from authentication, allowing any unauthenticated attacker to supply an arbitrary credentialId and trigger server-side decryption and use of stored AI provider credentials—OpenAI, ElevenLabs, Azure Cognitive, or Google Cloud—entirely at the victim's expense. Flowise carries 59 CVEs in this same package, signaling systemic security debt that should prompt elevated scrutiny of any self-hosted deployment, and the existence of a companion credential-ID discovery finding described in the advisory makes chained exploitation trivially accessible. No EPSS or KEV data exists yet, but the exploitation barrier is a single unauthenticated POST request—zero AI knowledge required—making this a realistic candidate for automated scanning tooling the moment enumeration vectors circulate publicly. Upgrade to Flowise 3.1.0 immediately; as an interim control, block POST requests to /api/v1/text-to-speech/generate at the WAF or reverse proxy, and rotate all AI provider API keys stored in the platform.
Is GHSA-5fw2-mwhh-9947 actively exploited?
No confirmed active exploitation of GHSA-5fw2-mwhh-9947 has been reported, but organizations should still patch proactively.
How to fix GHSA-5fw2-mwhh-9947?
1. Patch immediately: upgrade Flowise to 3.1.0, which enforces chatflow-scoped credential validation or removes the TTS endpoint from WHITELIST_URLS. 2. Interim network control: add a WAF or reverse-proxy rule blocking POST requests to /api/v1/text-to-speech/generate from unauthenticated or external sources until patching is complete. 3. Credential rotation: rotate all AI provider API keys stored in Flowise (OpenAI, ElevenLabs, Azure, Google) and audit provider-side usage logs for anomalous TTS activity over the past 30 days. 4. Network hardening: confirm Flowise instances are not directly internet-exposed; enforce VPN or mTLS for all API and admin access. 5. Credential audit: enumerate the Flowise credential store, remove unused credentials, and apply least-privilege scoping to all stored API keys.
What systems are affected by GHSA-5fw2-mwhh-9947?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, API credential management, multi-provider AI integrations.
What is the CVSS score for GHSA-5fw2-mwhh-9947?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0034 Cost Harvesting AML.T0034.000 Excessive Queries AML.T0048.000 Financial Harm AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration AML.T0091.000 Application Access Token AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary The text-to-speech generation endpoint (`POST /api/v1/text-to-speech/generate`) is whitelisted (no auth) and accepts a `credentialId` directly in the request body. When called without a `chatflowId`, the endpoint uses the provided `credentialId` to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. ### Root Cause ```typescript // packages/server/src/controllers/text-to-speech/index.ts:58-64 } else { // Use TTS config from request body provider = bodyProvider credentialId = bodyCredentialId // ← attacker-controlled credential ID voice = bodyVoice model = bodyModel } ``` ### Docker Validation `POST /api/v1/text-to-speech/generate` with arbitrary `credentialId` in body: endpoint processes request, sends SSE `tts_start` event, only fails when credential doesn't exist — proves code path runs without authentication. ### Impact - Use victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization - Burn API credits on the victim's account - Generate unlimited speech content at victim's expense - Combined with credential ID leak from Finding 2, this is trivially exploitable ### Suggested Fix Remove the TTS endpoint from `WHITELIST_URLS` or validate that the credential belongs to the chatflow being used: ```typescript // Only allow credentialId when it matches the chatflow's TTS configuration if (!chatflowId) { return res.status(401).json({ message: 'Authentication required' }) } ``` --- ## References - `packages/server/src/controllers/text-to-speech/index.ts` lines 10-162 - `packages/server/src/utils/constants.ts` line 41 (whitelist entry) ## Credits - Shinobi Security - https://github.com/shinobisecurity
Exploitation Scenario
An attacker scans for publicly exposed Flowise instances via Shodan or Censys and identifies a target running ≤3.0.13. Using a companion IDOR or information-disclosure vulnerability—one of the 59 other CVEs in this package—they enumerate valid credentialIds from the platform's credential store. They then send a single unauthenticated POST to /api/v1/text-to-speech/generate with the target credentialId in the request body and a TTS payload. The Flowise server decrypts the stored OpenAI API key server-side and forwards the generation request, burning the victim's credits. With a scripted loop, the attacker exhausts thousands of dollars in API quota within minutes, or extracts the validated key reference to access OpenAI's API directly for broader generative abuse.
Weaknesses (CWE)
CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
- [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
- [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-56274 9.9 Flowise: RCE via MCP server command validation bypass
Same package: flowise