AI Threat Alert
GHSA-php6-83fg-gw3g: Flowise: brute-force auth grants full agent platform access
GHSA-php6-83fg-gw3g HIGHFlowise's checkBasicAuth endpoint in versions ≤3.1.1 accepts unlimited login attempts with zero rate limiting, making credential brute-forcing trivially automatable against any internet-exposed instance. Flowise is a widely deployed no-code AI agent builder used in enterprise LLM workflows — a successful attack hands an adversary full control over pipeline configurations, connected LLM API keys, vector database credentials, and agent tool definitions. There is no active exploitation in CISA KEV and no public exploit tool confirmed, but the absence of any brute-force protection and the package's history of 69 CVEs signal systemic security debt. Patch to 3.1.2 immediately; if patching is delayed, enforce rate limiting at the reverse proxy layer and restrict the auth endpoint to trusted IP ranges.
What is the risk?
High severity (CVSS 7.5) with a realistic and low-sophistication exploit path over the network. The primary risk amplifier is the complete absence of rate limiting — an attacker can run automated credential stuffing with no throttling or account lockout. The non-constant-time === comparison enables secondary timing-based enumeration, and distinct success/failure response messages further accelerate credential discovery. Flowise instances are frequently internet-exposed as part of enterprise AI build-out, and the 69 CVEs in the same package indicate a pattern of security debt that warrants elevated scrutiny of any production deployment.
Attack Kill Chain
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| flowise | npm | <= 3.1.1 | 3.1.2 |
Do you use flowise? You're affected.
Severity & Risk
Attack Surface
What should I do?
6 steps-
Patch immediately: upgrade flowise to 3.1.2 or later.
-
If patching is delayed, enforce rate limiting at the reverse proxy layer (nginx limit_req_zone, Cloudflare Rate Limiting, or equivalent) targeting the /api/v1/verify/auth path.
-
Restrict auth endpoint access to known IP ranges via firewall ACL or proxy rules.
-
Rotate FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables on any instance that was internet-exposed while running a vulnerable version.
-
Audit access logs for brute-force indicators: high-frequency requests from single IPs, repeated 401 responses followed by a 200.
-
For production deployments, migrate to OAuth/SSO rather than relying on basic auth.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-php6-83fg-gw3g?
Flowise's checkBasicAuth endpoint in versions ≤3.1.1 accepts unlimited login attempts with zero rate limiting, making credential brute-forcing trivially automatable against any internet-exposed instance. Flowise is a widely deployed no-code AI agent builder used in enterprise LLM workflows — a successful attack hands an adversary full control over pipeline configurations, connected LLM API keys, vector database credentials, and agent tool definitions. There is no active exploitation in CISA KEV and no public exploit tool confirmed, but the absence of any brute-force protection and the package's history of 69 CVEs signal systemic security debt. Patch to 3.1.2 immediately; if patching is delayed, enforce rate limiting at the reverse proxy layer and restrict the auth endpoint to trusted IP ranges.
Is GHSA-php6-83fg-gw3g actively exploited?
No confirmed active exploitation of GHSA-php6-83fg-gw3g has been reported, but organizations should still patch proactively.
How to fix GHSA-php6-83fg-gw3g?
1. Patch immediately: upgrade flowise to 3.1.2 or later. 2. If patching is delayed, enforce rate limiting at the reverse proxy layer (nginx limit_req_zone, Cloudflare Rate Limiting, or equivalent) targeting the /api/v1/verify/auth path. 3. Restrict auth endpoint access to known IP ranges via firewall ACL or proxy rules. 4. Rotate FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables on any instance that was internet-exposed while running a vulnerable version. 5. Audit access logs for brute-force indicators: high-frequency requests from single IPs, repeated 401 responses followed by a 200. 6. For production deployments, migrate to OAuth/SSO rather than relying on basic auth.
What systems are affected by GHSA-php6-83fg-gw3g?
This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, No-code LLM workflow platforms, LLM API orchestration, Enterprise AI pipelines.
What is the CVSS score for GHSA-php6-83fg-gw3g?
GHSA-php6-83fg-gw3g has a CVSS v3.1 base score of 7.5 (HIGH).
Technical Details
NVD Description
**Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Severity | Medium | | CWE | CWE-522 (Insufficiently Protected Credentials) | | Location | packages/server/src/enterprise/controllers/account.controller.ts:128-135 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai | ### Description The checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. ### Affected Code ``` public async checkBasicAuth(req: Request, res: Response) { const { username, password } = req.body if (username === process.env.FLOWISE_USERNAME && password === process.env.FLOWISE_PASSWORD) { return res.json({ message: 'Authentication successful' }) ``` ### Evidence Credentials are sent in plaintext in request body and compared directly without hashing. No rate limiting prevents brute force attacks. The endpoint returns different messages for success/failure, enabling enumeration. ### Impact Credential brute-forcing - attackers can attempt unlimited username/password combinations against the basic auth system. Successful attacks grant access to the application. ### Recommendation 1) Implement rate limiting on this endpoint, 2) Use constant-time comparison to prevent timing attacks, 3) Consider using hashed comparison, 4) Return generic error messages, 5) Add logging for failed attempts. ### Notes The checkBasicAuth endpoint at line 128-135 has multiple security issues: (1) No rate limiting - the RateLimiterManager only applies to chatflow-specific endpoints, not auth endpoints. Attackers can perform unlimited brute force attempts. (2) Uses JavaScript === operator for comparison which is not constant-time, potentially enabling timing attacks. (3) Returns different messages for success ('Authentication successful') vs failure ('Authentication failed'), enabling credential enumeration. The endpoint compares plaintext credentials against environment variables FLOWISE_USERNAME and FLOWISE_PASSWORD. While this is basic auth for simpler deployments, the lack of rate limiting makes it actively exploitable for credential brute-forcing.
Exploitation Scenario
An attacker enumerates internet-exposed Flowise instances via Shodan or Censys, identifies the /api/v1/verify/auth endpoint, and launches an automated credential stuffing or dictionary attack using common defaults and leaked credential lists. The endpoint's distinct 'Authentication successful' vs 'Authentication failed' responses confirm valid credentials without triggering any lockout. Once authenticated, the attacker accesses the Flowise dashboard to harvest LLM API keys and database connection strings, inject malicious tool definitions into active agent workflows for persistence or data exfiltration, or pivot to connected backend services via the agent's configured tool integrations.
Weaknesses (CWE)
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-30821 9.8 flowise: Arbitrary File Upload enables RCE
Same package: flowise CVE-2026-30824 9.8 Flowise: auth bypass exposes NVIDIA NIM container endpoints
Same package: flowise