GHSA-hmg2-jjjx-jcp2: Flowise: missing authz on vector store CRUD endpoints

GHSA-hmg2-jjjx-jcp2 HIGH
Published May 14, 2026
CISO Take

Flowise, a widely deployed AI agent workflow platform, exposes all OpenAI Assistants Vector Store management endpoints — create, update, delete, and file upload — without any authorization middleware, meaning any authenticated user regardless of assigned role can fully manipulate your AI agents' knowledge bases. Vector stores in Flowise are the RAG data sources that ground agent responses, so unauthorized write access translates directly to RAG poisoning or wholesale data destruction, while read access enables exfiltration of every document your organization has ingested. This package has now accumulated 76 CVEs, signaling sustained researcher and likely adversary interest in its attack surface. Patch immediately to Flowise 3.1.2, which adds proper permission checks on all affected routes.

Sources: GitHub Advisory ATLAS

What is the risk?

HIGH. Authentication is required, which reduces the attack surface, but the bar is extremely low — any valid Flowise account, including low-privilege users, trial accounts, or compromised credentials, is sufficient. The vulnerability is trivially exploitable by anyone who can read the public security advisory. Vector stores hold proprietary organizational data used to ground AI agent responses, making both exfiltration and poisoning high-impact outcomes. With 76 CVEs in this package, Flowise deployments are already on attacker radar and the authorization gap is straightforward to automate.

How does the attack unfold?

Initial Access
Adversary authenticates to target Flowise instance with any valid account obtained via credential stuffing, phishing, or self-registration on a permissive deployment.
AML.T0012
Exploitation
Adversary calls /api/v1/openai-assistants-vector-store endpoints directly; no permission middleware exists so role is never checked and all CRUD operations succeed regardless of account privilege.
AML.T0049
Collection & Exfiltration
Adversary enumerates all vector stores and downloads their document contents, extracting proprietary organizational knowledge used to ground AI agent responses.
AML.T0085.000
RAG Poisoning or Data Destruction
Adversary uploads malicious files containing prompt injection payloads to corrupt agent knowledge bases, or invokes DELETE to destroy vector stores and cause agent denial of service.
AML.T0070

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm <= 3.1.1 3.1.2

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps
  1. IMMEDIATE

    Upgrade to flowise@3.1.2, which adds checkAnyPermission() middleware to all vector store routes.

  2. SHORT-TERM: Audit vector store contents for unauthorized uploads or modifications — compare current state against known-good backups or re-index from source documents.

  3. DETECTION

    Review Flowise access logs for unexpected POST, PUT, or DELETE requests to /api/v1/openai-assistants-vector-store from non-admin accounts, especially bulk file uploads or mass deletions.

  4. COMPENSATING CONTROL (if immediate patch is not possible): Restrict Flowise network access to trusted internal IP ranges to reduce exposure to internal threat actors only.

  5. REVIEW

    Audit all active Flowise user accounts and revoke unnecessary access.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System
ISO 42001
A.6.1.3 - Access control to AI systems
NIST AI RMF
GOVERN 1.1 - Policies and practices for AI risk governance MANAGE 2.2 - Mechanisms for authorized management of AI risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is GHSA-hmg2-jjjx-jcp2?

Flowise, a widely deployed AI agent workflow platform, exposes all OpenAI Assistants Vector Store management endpoints — create, update, delete, and file upload — without any authorization middleware, meaning any authenticated user regardless of assigned role can fully manipulate your AI agents' knowledge bases. Vector stores in Flowise are the RAG data sources that ground agent responses, so unauthorized write access translates directly to RAG poisoning or wholesale data destruction, while read access enables exfiltration of every document your organization has ingested. This package has now accumulated 76 CVEs, signaling sustained researcher and likely adversary interest in its attack surface. Patch immediately to Flowise 3.1.2, which adds proper permission checks on all affected routes.

Is GHSA-hmg2-jjjx-jcp2 actively exploited?

No confirmed active exploitation of GHSA-hmg2-jjjx-jcp2 has been reported, but organizations should still patch proactively.

How to fix GHSA-hmg2-jjjx-jcp2?

1. IMMEDIATE: Upgrade to flowise@3.1.2, which adds checkAnyPermission() middleware to all vector store routes. 2. SHORT-TERM: Audit vector store contents for unauthorized uploads or modifications — compare current state against known-good backups or re-index from source documents. 3. DETECTION: Review Flowise access logs for unexpected POST, PUT, or DELETE requests to /api/v1/openai-assistants-vector-store from non-admin accounts, especially bulk file uploads or mass deletions. 4. COMPENSATING CONTROL (if immediate patch is not possible): Restrict Flowise network access to trusted internal IP ranges to reduce exposure to internal threat actors only. 5. REVIEW: Audit all active Flowise user accounts and revoke unnecessary access.

What systems are affected by GHSA-hmg2-jjjx-jcp2?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Agent frameworks, AI workflow platforms, Vector databases.

What is the CVSS score for GHSA-hmg2-jjjx-jcp2?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesAgent frameworksAI workflow platformsVector databases

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0070 RAG Poisoning
AML.T0071 False RAG Entry Injection
AML.T0085.000 RAG Databases
AML.T0086 Exfiltration via AI Agent Tool Invocation
AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: A.6.1.3
NIST AI RMF: GOVERN 1.1, MANAGE 2.2
OWASP LLM Top 10: LLM06:2025, LLM08:2025

What are the technical details?

Original Advisory

### FINDING 4: OpenAI Assistants Vector Store - No Auth on CRUD Operations **Severity**: HIGH (CVSS ~8.1) **Type**: CWE-306 (Missing Authentication for Critical Function) **File**: `packages/server/src/routes/openai-assistants-vector-store/index.ts` **Description**: ALL CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware AND the route path `/api/v1/openai-assistants-vector-store` is NOT in `WHITELIST_URLS`. However, it is also NOT protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but NO permission checks exist on any operation. The real issue is that the routes have no `checkAnyPermission()` middleware, meaning any authenticated user regardless of role can: - Create vector stores - Upload files to vector stores - Delete vector stores and files - Modify any vector store **Evidence**: ```typescript // No permission middleware on any route router.post('/', controller.createAssistantVectorStore) // No permission check router.put(['/', '/:id'], controller.updateAssistantVectorStore) // No permission check router.delete(['/', '/:id'], controller.deleteAssistantVectorStore) // No permission check router.post('/:id', getMulterStorage().array('files'), controller.uploadFilesToAssistantVectorStore) // No permission check ``` **Impact**: Any authenticated user can manipulate OpenAI vector stores, upload malicious files, delete data, or exfiltrate stored documents regardless of their assigned permissions.

Exploitation Scenario

An attacker with any valid Flowise account — obtained via credential stuffing against a self-hosted instance, phishing a low-privilege employee, or registering a trial account — directly calls the unprotected vector store CRUD endpoints. They first enumerate existing vector stores and retrieve all associated files, exfiltrating the organization's proprietary document collection used to ground AI agents. They then upload a crafted file containing indirect prompt injection payloads into a high-priority vector store. When legitimate users query AI agents backed by that store, the poisoned knowledge base causes the agent to return attacker-controlled responses — leaking system prompts, steering users toward malicious content, or performing unauthorized tool calls. Finally, the attacker deletes the original clean files to remove evidence and maximize disruption to agent operations.

Weaknesses (CWE)

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 14, 2026

Related Vulnerabilities