AI Threat Alert
GHSA-6f7g-v4pp-r667: Flowise: OAuth token theft via unauthenticated endpoint
GHSA-6f7g-v4pp-r667 HIGHFlowise, a widely-deployed no-code AI agent builder, has a critical authentication bypass in two unauthenticated API endpoints that together allow any attacker to steal valid OAuth 2.0 access tokens for third-party services integrated into public chatflows. The attack requires only two unauthenticated HTTP requests — extracting an OAuth credential identifier from the public chatflow configuration endpoint, then exchanging that identifier for a live token at the unauthenticated OAuth refresh endpoint. With 37 prior CVEs in this package, a trivial two-step curl-based PoC published in the advisory, and OAuth integrations commonly connecting to Gmail, Google APIs, and other business-critical services, exploitation is a realistic near-term risk for every internet-exposed self-hosted Flowise instance. Organizations should upgrade to Flowise 3.1.0 immediately, revoke and rotate OAuth tokens for all services configured in Flowise workflows, and audit third-party service access logs for unauthorized activity dating back to initial deployment.
What is the risk?
HIGH. The vulnerability is trivially exploitable — it requires no authentication, no special tooling, and the full PoC consists of two standard HTTP requests. Any self-hosted Flowise instance with public chatflows configured to use OAuth 2.0 integrations (Google, Microsoft, GitHub, etc.) is exposed by default, since public chatflows are designed to be internet-accessible. The credential identifiers exposed via the configuration endpoint are not secrets by design, making this a systemic architectural flaw rather than a misconfiguration. The blast radius extends beyond Flowise itself to every connected OAuth service, meaning a single Flowise deployment could be the entry point to email, calendar, code repositories, or SaaS platforms.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | <= 3.0.13 | 3.1.0 |
Do you use Flowise? You're affected.
How severe is it?
What should I do?
6 steps-
IMMEDIATE — Upgrade Flowise to version 3.1.0, which patches both the unauthenticated configuration endpoint and the unauthenticated OAuth refresh endpoint.
-
REVOKE — Rotate all OAuth tokens and application credentials for every third-party service (Gmail, GitHub, Google APIs, etc.) configured in Flowise workflows — treat all existing tokens as compromised.
-
AUDIT — Review access logs for connected OAuth services for unauthorized API calls, focusing on the period since initial Flowise deployment.
-
HARDEN — Until patched, block external access to /api/v1/oauth2-credential/refresh/* and /api/v1/public-chatbotConfig/* at the WAF or reverse proxy layer.
-
ISOLATE — Consider moving OAuth-sensitive workflows behind authenticated (private) chatflows rather than public ones, even post-patch.
-
DETECT — Alert on unexpected OAuth token refresh calls or anomalous API activity in integrated services.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-6f7g-v4pp-r667?
Flowise, a widely-deployed no-code AI agent builder, has a critical authentication bypass in two unauthenticated API endpoints that together allow any attacker to steal valid OAuth 2.0 access tokens for third-party services integrated into public chatflows. The attack requires only two unauthenticated HTTP requests — extracting an OAuth credential identifier from the public chatflow configuration endpoint, then exchanging that identifier for a live token at the unauthenticated OAuth refresh endpoint. With 37 prior CVEs in this package, a trivial two-step curl-based PoC published in the advisory, and OAuth integrations commonly connecting to Gmail, Google APIs, and other business-critical services, exploitation is a realistic near-term risk for every internet-exposed self-hosted Flowise instance. Organizations should upgrade to Flowise 3.1.0 immediately, revoke and rotate OAuth tokens for all services configured in Flowise workflows, and audit third-party service access logs for unauthorized activity dating back to initial deployment.
Is GHSA-6f7g-v4pp-r667 actively exploited?
No confirmed active exploitation of GHSA-6f7g-v4pp-r667 has been reported, but organizations should still patch proactively.
How to fix GHSA-6f7g-v4pp-r667?
1. IMMEDIATE — Upgrade Flowise to version 3.1.0, which patches both the unauthenticated configuration endpoint and the unauthenticated OAuth refresh endpoint. 2. REVOKE — Rotate all OAuth tokens and application credentials for every third-party service (Gmail, GitHub, Google APIs, etc.) configured in Flowise workflows — treat all existing tokens as compromised. 3. AUDIT — Review access logs for connected OAuth services for unauthorized API calls, focusing on the period since initial Flowise deployment. 4. HARDEN — Until patched, block external access to /api/v1/oauth2-credential/refresh/* and /api/v1/public-chatbotConfig/* at the WAF or reverse proxy layer. 5. ISOLATE — Consider moving OAuth-sensitive workflows behind authenticated (private) chatflows rather than public ones, even post-patch. 6. DETECT — Alert on unexpected OAuth token refresh calls or anomalous API activity in integrated services.
What systems are affected by GHSA-6f7g-v4pp-r667?
This vulnerability affects the following AI/ML architecture patterns: AI agent platforms, No-code LLM workflow builders, OAuth-integrated chatbots, Customer-facing AI assistants, Enterprise automation pipelines.
What is the CVSS score for GHSA-6f7g-v4pp-r667?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration AML.T0084 Discover AI Agent Configuration AML.T0091.000 Application Access Token Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. ### Details Flowise is designed to allow public chatflows to be accessed by unauthenticated end users via public URLs or embedded widgets. As a result, `chatflowId` values are intentionally exposed to unauthenticated clients and must not be treated as secrets. However, the endpoint `GET /api/v1/public-chatbotConfig/<chatflowId>` returns internal `flowData` without authentication. The returned `flowData` includes workflow node definitions containing OAuth credential identifiers (`credential` field). Separately, the endpoint `POST /api/v1/oauth2-credential/refresh/<credentialId>` allows OAuth. 2.0 tokens to be refreshed without authentication or authorization checks. Because credential identifiers can be obtained from the unauthenticated public chatflow configuration endpoint, these two behaviors can be combined to allow unauthenticated OAuth 2.0 access token disclosure. ### PoC **Prerequisites** - Self-hosted Flowise instance - A public chatflow configured with an OAuth 2.0 credential (e.g., Gmail OAuth2) #### Step 1: Obtain `chatflowId` The `chatflowId` is exposed to unauthenticated users via public chatflow URLs, embedded widgets, or browser network requests when accessing a public chatflow. Example: `d37b9812-72c1-4c64-b152-665f307f755e` #### Step 2: Retrieve internal `flowData` without authentication ```bash curl -s \ http://localhost:3000/api/v1/public-chatbotConfig/d37b9812-72c1-4c64-b152-665f307f755e ``` The response includes flowData containing an OAuth credential identifier, for example: ``` "credential": "6efe0e20-ba6f-4fbb-9960-658feffa0542" ``` #### Step 3: Refresh OAuth 2.0 token without authentication ```bash curl -X POST \ http://localhost:3000/api/v1/oauth2-credential/refresh/6efe0e20-ba6f-4fbb-9960-658feffa0542 ``` The response returns valid OAuth 2.0 access token data, including an `access_token`. ### Impact An unauthenticated attacker can obtain OAuth 2.0 access tokens for third-party services configured in Flowise, potentially leading to unauthorized data access, API abuse, or account compromise. This vulnerability affects self-hosted deployments because public chatflows are commonly exposed to the internet and require unauthenticated access by design. Treating `chatflowId` as a secret does not mitigate the issue.
Exploitation Scenario
A threat actor targeting a company's customer-facing AI chatbot built on Flowise opens the company website and uses browser developer tools to capture the chatflowId from network requests made by the embedded widget. The attacker sends an unauthenticated GET request to /api/v1/public-chatbotConfig/{chatflowId} and receives the full workflow JSON, which contains an OAuth credential identifier for the company's Gmail integration used by the chatbot to send confirmation emails. The attacker then sends an unauthenticated POST to /api/v1/oauth2-credential/refresh/{credentialId} and receives a valid Gmail OAuth access token. With this token, the attacker gains full read/write access to the business Gmail account, enabling email exfiltration, impersonation of company communications, or pivot to other Google Workspace services — all without ever authenticating to Flowise.
Weaknesses (CWE)
CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-56274 9.9 Flowise: RCE via MCP server command validation bypass
Same package: flowise