GHSA-6pcv-j4jx-m4vx: Flowise unauthenticated SSO

CISO Take

FlowiseAI's `/api/v1/loginmethod` endpoint returns full SSO configuration — including OAuth client secrets for Google, Azure, GitHub, and Auth0 — to any unauthenticated HTTP request, requiring only a guessable organizationId. The CVSS score of 5.3 dramatically understates the real impact: a successful query hands attackers third-party OAuth credentials that enable account takeover across integrated cloud services, far beyond the AI platform itself. With no authentication barrier and a trivial one-line HTTP request as the PoC, exploitation requires zero AI or security expertise, and the package already carries 37 historical CVEs suggesting systemic security debt. Organizations running FlowiseAI (cloud or self-hosted) should immediately upgrade to 3.1.0; as an interim workaround, block public access to `/api/v1/loginmethod` at the network/reverse-proxy layer and rotate all OAuth credentials stored in any FlowiseAI instance.

Sources: GitHub Advisory ATLAS

What is the risk?

Despite a CVSS 5.3 rating (Confidentiality:Low, no integrity or availability impact), the business risk is HIGH. The vulnerability is pre-auth, network-accessible, zero-complexity, and the payload contains live OAuth credentials. Any organization with SSO enabled on FlowiseAI cloud or a self-hosted instance exposed to the internet is at risk. The organizationId enumeration barrier is low — UUIDs are often predictable or discoverable via other means. The blast radius extends beyond FlowiseAI itself to every third-party service (Azure AD, Google Workspace, GitHub org, Auth0 tenants) whose OAuth app credentials are configured.

How does the attack unfold?

Reconnaissance

Attacker identifies a FlowiseAI instance and discovers or enumerates valid organizationId values via public URLs, error messages, or brute-force.

AML.T0006

Credential Harvest

Attacker sends unauthenticated GET to `/api/v1/loginmethod?organizationId=<id>` and receives OAuth client secrets for Google, Azure, GitHub, and Auth0 in cleartext JSON.

AML.T0049

Lateral Movement

Attacker uses stolen OAuth client credentials to authenticate as the FlowiseAI application against third-party identity providers, gaining access to connected enterprise services.

AML.T0091

Impact

Attacker exfiltrates data from enterprise services (Azure AD, Google Workspace, GitHub repos) connected to AI agent workflows, or impersonates the application for persistent access.

AML.T0025

Reconnaissance

Attacker identifies a FlowiseAI instance and discovers or enumerates valid organizationId values via public URLs, error messages, or brute-force.

AML.T0006

Credential Harvest

Attacker sends unauthenticated GET to `/api/v1/loginmethod?organizationId=<id>` and receives OAuth client secrets for Google, Azure, GitHub, and Auth0 in cleartext JSON.

AML.T0049

Lateral Movement

Attacker uses stolen OAuth client credentials to authenticate as the FlowiseAI application against third-party identity providers, gaining access to connected enterprise services.

AML.T0091

Impact

Attacker exfiltrates data from enterprise services (Azure AD, Google Workspace, GitHub repos) connected to AI agent workflows, or impersonates the application for persistent access.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	<= 3.0.13	`3.1.0`

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Patch immediately

Upgrade flowise to >= 3.1.0 which fixes the missing authentication check.
Rotate credentials

Revoke and regenerate all OAuth client secrets (Google, Azure, GitHub, Auth0) configured in any affected FlowiseAI instance — treat all stored credentials as compromised.
Network-level block

Add WAF/reverse-proxy rule to reject unauthenticated requests to /api/v1/loginmethod as a defense-in-depth measure.
Audit access logs

Review server logs for unexpected GET requests to /api/v1/loginmethod to determine if exploitation occurred.
Inventory exposure

Identify all self-hosted FlowiseAI instances exposed to the internet and prioritize patching those first.

How is it classified?

Auth Bypass Data Extraction Agent API AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.1 - Access control policy A.9.4 - System and application access control

NIST AI RMF

PROTECT-1.1 - Organizational policies and practices are in place to ensure secure development and deployment of AI systems

OWASP LLM Top 10

LLM06:2025 - Excessive Agency LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is GHSA-6pcv-j4jx-m4vx?

FlowiseAI's `/api/v1/loginmethod` endpoint returns full SSO configuration — including OAuth client secrets for Google, Azure, GitHub, and Auth0 — to any unauthenticated HTTP request, requiring only a guessable organizationId. The CVSS score of 5.3 dramatically understates the real impact: a successful query hands attackers third-party OAuth credentials that enable account takeover across integrated cloud services, far beyond the AI platform itself. With no authentication barrier and a trivial one-line HTTP request as the PoC, exploitation requires zero AI or security expertise, and the package already carries 37 historical CVEs suggesting systemic security debt. Organizations running FlowiseAI (cloud or self-hosted) should immediately upgrade to 3.1.0; as an interim workaround, block public access to `/api/v1/loginmethod` at the network/reverse-proxy layer and rotate all OAuth credentials stored in any FlowiseAI instance.

Is GHSA-6pcv-j4jx-m4vx actively exploited?

No confirmed active exploitation of GHSA-6pcv-j4jx-m4vx has been reported, but organizations should still patch proactively.

How to fix GHSA-6pcv-j4jx-m4vx?

1. **Patch immediately**: Upgrade `flowise` to >= 3.1.0 which fixes the missing authentication check. 2. **Rotate credentials**: Revoke and regenerate all OAuth client secrets (Google, Azure, GitHub, Auth0) configured in any affected FlowiseAI instance — treat all stored credentials as compromised. 3. **Network-level block**: Add WAF/reverse-proxy rule to reject unauthenticated requests to `/api/v1/loginmethod` as a defense-in-depth measure. 4. **Audit access logs**: Review server logs for unexpected GET requests to `/api/v1/loginmethod` to determine if exploitation occurred. 5. **Inventory exposure**: Identify all self-hosted FlowiseAI instances exposed to the internet and prioritize patching those first.

What systems are affected by GHSA-6pcv-j4jx-m4vx?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, SSO-integrated AI platforms, cloud-hosted AI services.

What is the CVSS score for GHSA-6pcv-j4jx-m4vx?

GHSA-6pcv-j4jx-m4vx has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow buildersSSO-integrated AI platformscloud-hosted AI services

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.1, A.9.4

NIST AI RMF: PROTECT-1.1

OWASP LLM Top 10: LLM06:2025, LLM10:2025

What are the technical details?

Original Advisory

### Summary I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext. ### PoC The following request can be sent by anyone on the internet without any cookies or authorization headers. Request ```http GET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2 Host: cloud.flowiseai.com Accept: application/json Content-Type: application/json ``` Response: The server returns 200 OK with sensitive credentials: ```json { "providers": [ { "id": "a04ba769-b810-481d-8d6b-84f8c377dea5", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "azure", "config": { "tenantID": "", "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "eda8bd90-1c45-4aca-933f-3a53d9be4161", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "google", "config": { "clientID": "123455", "clientSecret": "123455" }, "status": "enable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "auth0", "config": { "domain": "", "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "github", "config": { "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" } ], "callbacks": [ { "providerName": "azure", "callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback" }, { "providerName": "google", "callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback" }, { "providerName": "auth0", "callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback" }, { "providerName": "github", "callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback" } ] } ``` ### Affected Deployments - FlowiseAI Cloud (cloud.flowiseai.com) - Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed ### Impact An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.

Exploitation Scenario

An attacker conducting reconnaissance against a target organization discovers a FlowiseAI instance at `ai.company.com`. Using a simple unauthenticated GET request to `https://ai.company.com/api/v1/loginmethod?organizationId=<id>` — where the organizationId may be found in a public URL, leaked log, or brute-forced — the attacker receives a 200 OK response containing Azure AD tenant ID, client ID, and client secret in cleartext JSON. The attacker then registers the stolen credentials against Microsoft Graph API to impersonate the FlowiseAI application, gaining access to all enterprise data sources (SharePoint, email, Teams) configured as tools in the AI agent workflows, effectively pivoting from an AI platform vulnerability into full corporate data access.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function Primary CWE-312 Cleartext Storage of Sensitive Information Primary

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.