Flowise, a widely deployed AI agent workflow platform, exposes all OpenAI Assistants Vector Store management endpoints — create, update, delete, and file upload — without any authorization middleware, meaning any authenticated user regardless of assigned role can fully manipulate your AI agents' knowledge bases. Vector stores in Flowise are the RAG data sources that ground agent responses, so unauthorized write access translates directly to RAG poisoning or wholesale data destruction, while read access enables exfiltration of every document your organization has ingested. This package has now accumulated 76 CVEs, signaling sustained researcher and likely adversary interest in its attack surface. Patch immediately to Flowise 3.1.2, which adds proper permission checks on all affected routes.
What is the risk?
HIGH. Authentication is required, which reduces the attack surface, but the bar is extremely low — any valid Flowise account, including low-privilege users, trial accounts, or compromised credentials, is sufficient. The vulnerability is trivially exploitable by anyone who can read the public security advisory. Vector stores hold proprietary organizational data used to ground AI agent responses, making both exfiltration and poisoning high-impact outcomes. With 76 CVEs in this package, Flowise deployments are already on attacker radar and the authorization gap is straightforward to automate.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | <= 3.1.1 | 3.1.2 |
Do you use Flowise? You're affected.
How severe is it?
What should I do?
5 steps-
IMMEDIATE
Upgrade to flowise@3.1.2, which adds checkAnyPermission() middleware to all vector store routes.
-
SHORT-TERM: Audit vector store contents for unauthorized uploads or modifications — compare current state against known-good backups or re-index from source documents.
-
DETECTION
Review Flowise access logs for unexpected POST, PUT, or DELETE requests to /api/v1/openai-assistants-vector-store from non-admin accounts, especially bulk file uploads or mass deletions.
-
COMPENSATING CONTROL (if immediate patch is not possible): Restrict Flowise network access to trusted internal IP ranges to reduce exposure to internal threat actors only.
-
REVIEW
Audit all active Flowise user accounts and revoke unnecessary access.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-hmg2-jjjx-jcp2?
Flowise, a widely deployed AI agent workflow platform, exposes all OpenAI Assistants Vector Store management endpoints — create, update, delete, and file upload — without any authorization middleware, meaning any authenticated user regardless of assigned role can fully manipulate your AI agents' knowledge bases. Vector stores in Flowise are the RAG data sources that ground agent responses, so unauthorized write access translates directly to RAG poisoning or wholesale data destruction, while read access enables exfiltration of every document your organization has ingested. This package has now accumulated 76 CVEs, signaling sustained researcher and likely adversary interest in its attack surface. Patch immediately to Flowise 3.1.2, which adds proper permission checks on all affected routes.
Is GHSA-hmg2-jjjx-jcp2 actively exploited?
No confirmed active exploitation of GHSA-hmg2-jjjx-jcp2 has been reported, but organizations should still patch proactively.
How to fix GHSA-hmg2-jjjx-jcp2?
1. IMMEDIATE: Upgrade to flowise@3.1.2, which adds checkAnyPermission() middleware to all vector store routes. 2. SHORT-TERM: Audit vector store contents for unauthorized uploads or modifications — compare current state against known-good backups or re-index from source documents. 3. DETECTION: Review Flowise access logs for unexpected POST, PUT, or DELETE requests to /api/v1/openai-assistants-vector-store from non-admin accounts, especially bulk file uploads or mass deletions. 4. COMPENSATING CONTROL (if immediate patch is not possible): Restrict Flowise network access to trusted internal IP ranges to reduce exposure to internal threat actors only. 5. REVIEW: Audit all active Flowise user accounts and revoke unnecessary access.
What systems are affected by GHSA-hmg2-jjjx-jcp2?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Agent frameworks, AI workflow platforms, Vector databases.
What is the CVSS score for GHSA-hmg2-jjjx-jcp2?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0070 RAG Poisoning AML.T0071 False RAG Entry Injection AML.T0085.000 RAG Databases AML.T0086 Exfiltration via AI Agent Tool Invocation AML.T0101 Data Destruction via AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
### FINDING 4: OpenAI Assistants Vector Store - No Auth on CRUD Operations **Severity**: HIGH (CVSS ~8.1) **Type**: CWE-306 (Missing Authentication for Critical Function) **File**: `packages/server/src/routes/openai-assistants-vector-store/index.ts` **Description**: ALL CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware AND the route path `/api/v1/openai-assistants-vector-store` is NOT in `WHITELIST_URLS`. However, it is also NOT protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but NO permission checks exist on any operation. The real issue is that the routes have no `checkAnyPermission()` middleware, meaning any authenticated user regardless of role can: - Create vector stores - Upload files to vector stores - Delete vector stores and files - Modify any vector store **Evidence**: ```typescript // No permission middleware on any route router.post('/', controller.createAssistantVectorStore) // No permission check router.put(['/', '/:id'], controller.updateAssistantVectorStore) // No permission check router.delete(['/', '/:id'], controller.deleteAssistantVectorStore) // No permission check router.post('/:id', getMulterStorage().array('files'), controller.uploadFilesToAssistantVectorStore) // No permission check ``` **Impact**: Any authenticated user can manipulate OpenAI vector stores, upload malicious files, delete data, or exfiltrate stored documents regardless of their assigned permissions.
Exploitation Scenario
An attacker with any valid Flowise account — obtained via credential stuffing against a self-hosted instance, phishing a low-privilege employee, or registering a trial account — directly calls the unprotected vector store CRUD endpoints. They first enumerate existing vector stores and retrieve all associated files, exfiltrating the organization's proprietary document collection used to ground AI agents. They then upload a crafted file containing indirect prompt injection payloads into a high-priority vector store. When legitimate users query AI agents backed by that store, the poisoned knowledge base causes the agent to return attacker-controlled responses — leaking system prompts, steering users toward malicious content, or performing unauthorized tool calls. Finally, the attacker deletes the original clean files to remove evidence and maximize disruption to agent operations.
Weaknesses (CWE)
CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2025-71338 10.0 Flowise: unauthenticated file write enables RCE
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise