GHSA-hmg2-jjjx-jcp2 — HIGH

Q: Is GHSA-hmg2-jjjx-jcp2 actively exploited?

No confirmed active exploitation of GHSA-hmg2-jjjx-jcp2 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-hmg2-jjjx-jcp2?

1. IMMEDIATE: Upgrade to flowise@3.1.2, which adds checkAnyPermission() middleware to all vector store routes. 2. SHORT-TERM: Audit vector store contents for unauthorized uploads or modifications — compare current state against known-good backups or re-index from source documents. 3. DETECTION: Review Flowise access logs for unexpected POST, PUT, or DELETE requests to /api/v1/openai-assistants-vector-store from non-admin accounts, especially bulk file uploads or mass deletions. 4. COMPENSATING CONTROL (if immediate patch is not possible): Restrict Flowise network access to trusted internal IP ranges to reduce exposure to internal threat actors only. 5. REVIEW: Audit all active Flowise user accounts and revoke unnecessary access.

Q: What systems are affected by GHSA-hmg2-jjjx-jcp2?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Agent frameworks, AI workflow platforms, Vector databases.

Q: What is the CVSS score for GHSA-hmg2-jjjx-jcp2?

No CVSS score has been assigned yet.

CISO Take

Flowise, a widely deployed AI agent workflow platform, exposes all OpenAI Assistants Vector Store management endpoints — create, update, delete, and file upload — without any authorization middleware, meaning any authenticated user regardless of assigned role can fully manipulate your AI agents' knowledge bases. Vector stores in Flowise are the RAG data sources that ground agent responses, so unauthorized write access translates directly to RAG poisoning or wholesale data destruction, while read access enables exfiltration of every document your organization has ingested. This package has now accumulated 76 CVEs, signaling sustained researcher and likely adversary interest in its attack surface. Patch immediately to Flowise 3.1.2, which adds proper permission checks on all affected routes.

Sources: GitHub Advisory ATLAS

What is the risk?

HIGH. Authentication is required, which reduces the attack surface, but the bar is extremely low — any valid Flowise account, including low-privilege users, trial accounts, or compromised credentials, is sufficient. The vulnerability is trivially exploitable by anyone who can read the public security advisory. Vector stores hold proprietary organizational data used to ground AI agent responses, making both exfiltration and poisoning high-impact outcomes. With 76 CVEs in this package, Flowise deployments are already on attacker radar and the authorization gap is straightforward to automate.

Attack Kill Chain

Initial Access

Adversary authenticates to target Flowise instance with any valid account obtained via credential stuffing, phishing, or self-registration on a permissive deployment.

AML.T0012

Exploitation

Adversary calls /api/v1/openai-assistants-vector-store endpoints directly; no permission middleware exists so role is never checked and all CRUD operations succeed regardless of account privilege.

AML.T0049

Collection & Exfiltration

Adversary enumerates all vector stores and downloads their document contents, extracting proprietary organizational knowledge used to ground AI agent responses.

AML.T0085.000

RAG Poisoning or Data Destruction

Adversary uploads malicious files containing prompt injection payloads to corrupt agent knowledge bases, or invokes DELETE to destroy vector stores and cause agent denial of service.

AML.T0070

Initial Access

Adversary authenticates to target Flowise instance with any valid account obtained via credential stuffing, phishing, or self-registration on a permissive deployment.

AML.T0012

Exploitation

Adversary calls /api/v1/openai-assistants-vector-store endpoints directly; no permission middleware exists so role is never checked and all CRUD operations succeed regardless of account privilege.

AML.T0049

Collection & Exfiltration

Adversary enumerates all vector stores and downloads their document contents, extracting proprietary organizational knowledge used to ground AI agent responses.

AML.T0085.000

RAG Poisoning or Data Destruction

Adversary uploads malicious files containing prompt injection payloads to corrupt agent knowledge bases, or invokes DELETE to destroy vector stores and cause agent denial of service.

AML.T0070

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.1.1	`3.1.2`

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

IMMEDIATE

Upgrade to flowise@3.1.2, which adds checkAnyPermission() middleware to all vector store routes.
SHORT-TERM: Audit vector store contents for unauthorized uploads or modifications — compare current state against known-good backups or re-index from source documents.
DETECTION

Review Flowise access logs for unexpected POST, PUT, or DELETE requests to /api/v1/openai-assistants-vector-store from non-admin accounts, especially bulk file uploads or mass deletions.
COMPENSATING CONTROL (if immediate patch is not possible): Restrict Flowise network access to trusted internal IP ranges to reduce exposure to internal threat actors only.
REVIEW

Audit all active Flowise user accounts and revoke unnecessary access.

Classification

Auth Bypass Data Extraction Data Leakage Agent RAG Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0070 - RAG Poisoning AML.T0071 - False RAG Entry Injection AML.T0085.000 - RAG Databases AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0101 - Data Destruction via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System

ISO 42001

A.6.1.3 - Access control to AI systems

NIST AI RMF

GOVERN 1.1 - Policies and practices for AI risk governance MANAGE 2.2 - Mechanisms for authorized management of AI risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is GHSA-hmg2-jjjx-jcp2?

Flowise, a widely deployed AI agent workflow platform, exposes all OpenAI Assistants Vector Store management endpoints — create, update, delete, and file upload — without any authorization middleware, meaning any authenticated user regardless of assigned role can fully manipulate your AI agents' knowledge bases. Vector stores in Flowise are the RAG data sources that ground agent responses, so unauthorized write access translates directly to RAG poisoning or wholesale data destruction, while read access enables exfiltration of every document your organization has ingested. This package has now accumulated 76 CVEs, signaling sustained researcher and likely adversary interest in its attack surface. Patch immediately to Flowise 3.1.2, which adds proper permission checks on all affected routes.

Is GHSA-hmg2-jjjx-jcp2 actively exploited?

No confirmed active exploitation of GHSA-hmg2-jjjx-jcp2 has been reported, but organizations should still patch proactively.

How to fix GHSA-hmg2-jjjx-jcp2?

1. IMMEDIATE: Upgrade to flowise@3.1.2, which adds checkAnyPermission() middleware to all vector store routes. 2. SHORT-TERM: Audit vector store contents for unauthorized uploads or modifications — compare current state against known-good backups or re-index from source documents. 3. DETECTION: Review Flowise access logs for unexpected POST, PUT, or DELETE requests to /api/v1/openai-assistants-vector-store from non-admin accounts, especially bulk file uploads or mass deletions. 4. COMPENSATING CONTROL (if immediate patch is not possible): Restrict Flowise network access to trusted internal IP ranges to reduce exposure to internal threat actors only. 5. REVIEW: Audit all active Flowise user accounts and revoke unnecessary access.

What systems are affected by GHSA-hmg2-jjjx-jcp2?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Agent frameworks, AI workflow platforms, Vector databases.

What is the CVSS score for GHSA-hmg2-jjjx-jcp2?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### FINDING 4: OpenAI Assistants Vector Store - No Auth on CRUD Operations **Severity**: HIGH (CVSS ~8.1) **Type**: CWE-306 (Missing Authentication for Critical Function) **File**: `packages/server/src/routes/openai-assistants-vector-store/index.ts` **Description**: ALL CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware AND the route path `/api/v1/openai-assistants-vector-store` is NOT in `WHITELIST_URLS`. However, it is also NOT protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but NO permission checks exist on any operation. The real issue is that the routes have no `checkAnyPermission()` middleware, meaning any authenticated user regardless of role can: - Create vector stores - Upload files to vector stores - Delete vector stores and files - Modify any vector store **Evidence**: ```typescript // No permission middleware on any route router.post('/', controller.createAssistantVectorStore) // No permission check router.put(['/', '/:id'], controller.updateAssistantVectorStore) // No permission check router.delete(['/', '/:id'], controller.deleteAssistantVectorStore) // No permission check router.post('/:id', getMulterStorage().array('files'), controller.uploadFilesToAssistantVectorStore) // No permission check ``` **Impact**: Any authenticated user can manipulate OpenAI vector stores, upload malicious files, delete data, or exfiltrate stored documents regardless of their assigned permissions.

Exploitation Scenario

An attacker with any valid Flowise account — obtained via credential stuffing against a self-hosted instance, phishing a low-privilege employee, or registering a trial account — directly calls the unprotected vector store CRUD endpoints. They first enumerate existing vector stores and retrieve all associated files, exfiltrating the organization's proprietary document collection used to ground AI agents. They then upload a crafted file containing indirect prompt injection payloads into a high-priority vector store. When legitimate users query AI agents backed by that store, the poisoned knowledge base causes the agent to return attacker-controlled responses — leaking system prompts, steering users toward malicious content, or performing unauthorized tool calls. Finally, the attacker deletes the original clean files to remove evidence and maximize disruption to agent operations.