GHSA-6f7g-v4pp-r667 — HIGH AI Security Vulnerability

Q: Is GHSA-6f7g-v4pp-r667 actively exploited?

No confirmed active exploitation of GHSA-6f7g-v4pp-r667 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-6f7g-v4pp-r667?

1. IMMEDIATE — Upgrade Flowise to version 3.1.0, which patches both the unauthenticated configuration endpoint and the unauthenticated OAuth refresh endpoint. 2. REVOKE — Rotate all OAuth tokens and application credentials for every third-party service (Gmail, GitHub, Google APIs, etc.) configured in Flowise workflows — treat all existing tokens as compromised. 3. AUDIT — Review access logs for connected OAuth services for unauthorized API calls, focusing on the period since initial Flowise deployment. 4. HARDEN — Until patched, block external access to /api/v1/oauth2-credential/refresh/* and /api/v1/public-chatbotConfig/* at the WAF or reverse proxy layer. 5. ISOLATE — Consider moving OAuth-sensitive workflows behind authenticated (private) chatflows rather than public ones, even post-patch. 6. DETECT — Alert on unexpected OAuth token refresh calls or anomalous API activity in integrated services.

Q: What systems are affected by GHSA-6f7g-v4pp-r667?

This vulnerability affects the following AI/ML architecture patterns: AI agent platforms, No-code LLM workflow builders, OAuth-integrated chatbots, Customer-facing AI assistants, Enterprise automation pipelines.

Q: What is the CVSS score for GHSA-6f7g-v4pp-r667?

No CVSS score has been assigned yet.

CISO Take

Flowise, a widely-deployed no-code AI agent builder, has a critical authentication bypass in two unauthenticated API endpoints that together allow any attacker to steal valid OAuth 2.0 access tokens for third-party services integrated into public chatflows. The attack requires only two unauthenticated HTTP requests — extracting an OAuth credential identifier from the public chatflow configuration endpoint, then exchanging that identifier for a live token at the unauthenticated OAuth refresh endpoint. With 37 prior CVEs in this package, a trivial two-step curl-based PoC published in the advisory, and OAuth integrations commonly connecting to Gmail, Google APIs, and other business-critical services, exploitation is a realistic near-term risk for every internet-exposed self-hosted Flowise instance. Organizations should upgrade to Flowise 3.1.0 immediately, revoke and rotate OAuth tokens for all services configured in Flowise workflows, and audit third-party service access logs for unauthorized activity dating back to initial deployment.

Sources: GitHub Advisory ATLAS CISA KEV

Risk Assessment

HIGH. The vulnerability is trivially exploitable — it requires no authentication, no special tooling, and the full PoC consists of two standard HTTP requests. Any self-hosted Flowise instance with public chatflows configured to use OAuth 2.0 integrations (Google, Microsoft, GitHub, etc.) is exposed by default, since public chatflows are designed to be internet-accessible. The credential identifiers exposed via the configuration endpoint are not secrets by design, making this a systemic architectural flaw rather than a misconfiguration. The blast radius extends beyond Flowise itself to every connected OAuth service, meaning a single Flowise deployment could be the entry point to email, calendar, code repositories, or SaaS platforms.

Attack Kill Chain

Initial Reconnaissance

Attacker identifies a public Flowise chatflow via an embedded widget or public URL on a target organization's website, extracting the chatflowId from browser network requests.

AML.T0006

Configuration Exfiltration

Attacker calls the unauthenticated GET /api/v1/public-chatbotConfig/{chatflowId} endpoint and receives full workflow JSON containing internal OAuth credential identifiers.

AML.T0083

Token Theft

Attacker calls the unauthenticated POST /api/v1/oauth2-credential/refresh/{credentialId} endpoint using the extracted credential ID, receiving a valid OAuth 2.0 access token for the connected service.

AML.T0091.000

Third-Party Service Compromise

Attacker uses the stolen OAuth token to access the connected third-party service (Gmail, GitHub, Google APIs, etc.) with the full permissions delegated to the Flowise agent, enabling data exfiltration or further lateral movement.

AML.T0053

Initial Reconnaissance

Attacker identifies a public Flowise chatflow via an embedded widget or public URL on a target organization's website, extracting the chatflowId from browser network requests.

AML.T0006

Configuration Exfiltration

Attacker calls the unauthenticated GET /api/v1/public-chatbotConfig/{chatflowId} endpoint and receives full workflow JSON containing internal OAuth credential identifiers.

AML.T0083

Token Theft

Attacker calls the unauthenticated POST /api/v1/oauth2-credential/refresh/{credentialId} endpoint using the extracted credential ID, receiving a valid OAuth 2.0 access token for the connected service.

AML.T0091.000

Third-Party Service Compromise

Attacker uses the stolen OAuth token to access the connected third-party service (Gmail, GitHub, Google APIs, etc.) with the full permissions delegated to the Flowise agent, enabling data exfiltration or further lateral movement.

AML.T0053

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.0.13	`3.1.0`

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

6 steps

IMMEDIATE — Upgrade Flowise to version 3.1.0, which patches both the unauthenticated configuration endpoint and the unauthenticated OAuth refresh endpoint.
REVOKE — Rotate all OAuth tokens and application credentials for every third-party service (Gmail, GitHub, Google APIs, etc.) configured in Flowise workflows — treat all existing tokens as compromised.
AUDIT — Review access logs for connected OAuth services for unauthorized API calls, focusing on the period since initial Flowise deployment.
HARDEN — Until patched, block external access to /api/v1/oauth2-credential/refresh/* and /api/v1/public-chatbotConfig/* at the WAF or reverse proxy layer.
ISOLATE — Consider moving OAuth-sensitive workflows behind authenticated (private) chatflows rather than public ones, even post-patch.
DETECT — Alert on unexpected OAuth token refresh calls or anomalous API activity in integrated services.

Classification

Auth Bypass Data Extraction Privacy Violation Agent Framework API AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI system design and development security A.9.2 - Controls for AI system security

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to respond to and recover from AI risks

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-6f7g-v4pp-r667?

Flowise, a widely-deployed no-code AI agent builder, has a critical authentication bypass in two unauthenticated API endpoints that together allow any attacker to steal valid OAuth 2.0 access tokens for third-party services integrated into public chatflows. The attack requires only two unauthenticated HTTP requests — extracting an OAuth credential identifier from the public chatflow configuration endpoint, then exchanging that identifier for a live token at the unauthenticated OAuth refresh endpoint. With 37 prior CVEs in this package, a trivial two-step curl-based PoC published in the advisory, and OAuth integrations commonly connecting to Gmail, Google APIs, and other business-critical services, exploitation is a realistic near-term risk for every internet-exposed self-hosted Flowise instance. Organizations should upgrade to Flowise 3.1.0 immediately, revoke and rotate OAuth tokens for all services configured in Flowise workflows, and audit third-party service access logs for unauthorized activity dating back to initial deployment.

Is GHSA-6f7g-v4pp-r667 actively exploited?

No confirmed active exploitation of GHSA-6f7g-v4pp-r667 has been reported, but organizations should still patch proactively.

How to fix GHSA-6f7g-v4pp-r667?

1. IMMEDIATE — Upgrade Flowise to version 3.1.0, which patches both the unauthenticated configuration endpoint and the unauthenticated OAuth refresh endpoint. 2. REVOKE — Rotate all OAuth tokens and application credentials for every third-party service (Gmail, GitHub, Google APIs, etc.) configured in Flowise workflows — treat all existing tokens as compromised. 3. AUDIT — Review access logs for connected OAuth services for unauthorized API calls, focusing on the period since initial Flowise deployment. 4. HARDEN — Until patched, block external access to /api/v1/oauth2-credential/refresh/* and /api/v1/public-chatbotConfig/* at the WAF or reverse proxy layer. 5. ISOLATE — Consider moving OAuth-sensitive workflows behind authenticated (private) chatflows rather than public ones, even post-patch. 6. DETECT — Alert on unexpected OAuth token refresh calls or anomalous API activity in integrated services.

What systems are affected by GHSA-6f7g-v4pp-r667?

This vulnerability affects the following AI/ML architecture patterns: AI agent platforms, No-code LLM workflow builders, OAuth-integrated chatbots, Customer-facing AI assistants, Enterprise automation pipelines.

What is the CVSS score for GHSA-6f7g-v4pp-r667?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. ### Details Flowise is designed to allow public chatflows to be accessed by unauthenticated end users via public URLs or embedded widgets. As a result, `chatflowId` values are intentionally exposed to unauthenticated clients and must not be treated as secrets. However, the endpoint `GET /api/v1/public-chatbotConfig/<chatflowId>` returns internal `flowData` without authentication. The returned `flowData` includes workflow node definitions containing OAuth credential identifiers (`credential` field). Separately, the endpoint `POST /api/v1/oauth2-credential/refresh/<credentialId>` allows OAuth. 2.0 tokens to be refreshed without authentication or authorization checks. Because credential identifiers can be obtained from the unauthenticated public chatflow configuration endpoint, these two behaviors can be combined to allow unauthenticated OAuth 2.0 access token disclosure. ### PoC **Prerequisites** - Self-hosted Flowise instance - A public chatflow configured with an OAuth 2.0 credential (e.g., Gmail OAuth2) #### Step 1: Obtain `chatflowId` The `chatflowId` is exposed to unauthenticated users via public chatflow URLs, embedded widgets, or browser network requests when accessing a public chatflow. Example: `d37b9812-72c1-4c64-b152-665f307f755e` #### Step 2: Retrieve internal `flowData` without authentication ```bash curl -s \ http://localhost:3000/api/v1/public-chatbotConfig/d37b9812-72c1-4c64-b152-665f307f755e ``` The response includes flowData containing an OAuth credential identifier, for example: ``` "credential": "6efe0e20-ba6f-4fbb-9960-658feffa0542" ``` #### Step 3: Refresh OAuth 2.0 token without authentication ```bash curl -X POST \ http://localhost:3000/api/v1/oauth2-credential/refresh/6efe0e20-ba6f-4fbb-9960-658feffa0542 ``` The response returns valid OAuth 2.0 access token data, including an `access_token`. ### Impact An unauthenticated attacker can obtain OAuth 2.0 access tokens for third-party services configured in Flowise, potentially leading to unauthorized data access, API abuse, or account compromise. This vulnerability affects self-hosted deployments because public chatflows are commonly exposed to the internet and require unauthenticated access by design. Treating `chatflowId` as a secret does not mitigate the issue.

Exploitation Scenario

A threat actor targeting a company's customer-facing AI chatbot built on Flowise opens the company website and uses browser developer tools to capture the chatflowId from network requests made by the embedded widget. The attacker sends an unauthenticated GET request to /api/v1/public-chatbotConfig/{chatflowId} and receives the full workflow JSON, which contains an OAuth credential identifier for the company's Gmail integration used by the chatbot to send confirmation emails. The attacker then sends an unauthenticated POST to /api/v1/oauth2-credential/refresh/{credentialId} and receives a valid Gmail OAuth access token. With this token, the attacker gains full read/write access to the business Gmail account, enabling email exfiltration, impersonation of company communications, or pivot to other Google Workspace services — all without ever authenticating to Flowise.