GHSA-w47f-j8rh-wx87: Flowise credential exposure

Q: Is GHSA-w47f-j8rh-wx87 actively exploited?

No confirmed active exploitation of GHSA-w47f-j8rh-wx87 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-w47f-j8rh-wx87?

1. PATCH: Upgrade to Flowise 3.1.0 immediately. Note that even in 3.1.0 the sanitization function `sanitizeFlowDataForPublicEndpoint` is reportedly only applied to `public-chatbotConfig` — verify that `public-chatflows` is also patched before relying solely on the upgrade. 2. ROTATE: Immediately rotate all credentials (API keys, passwords, OAuth tokens) stored in any Flowise flowData nodes. Treat all credentials in Flowise ≤ 3.0.13 as compromised. 3. AUDIT: Review which chatflows had `isPublic: true` and assess whether their credentials have been accessed. Query server access logs for `GET /api/v1/public-chatflows/` and `GET /api/v1/public-chatbotConfig/` requests from untrusted IP ranges. 4. HARDEN: Disable public chatflows if not required by the use case. If public chatflows are required, place Flowise behind a WAF or reverse proxy that enforces IP allowlisting. 5. DESIGN: Going forward, store credentials exclusively in a secrets manager (HashiCorp Vault, AWS Secrets Manager) and reference them by ID — never store plaintext credentials in workflow node configurations.

Q: What systems are affected by GHSA-w47f-j8rh-wx87?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM API integrations, AI workflow orchestration, no-code/low-code AI builders, RAG pipelines.

Q: What is the CVSS score for GHSA-w47f-j8rh-wx87?

No CVSS score has been assigned yet.

CISO Take

Flowise's unauthenticated public chatflow endpoint returns complete flowData without any sanitization in versions ≤ 3.0.13, exposing plaintext API keys, database passwords, and OAuth credential IDs to anyone who can reach the instance. The exploitation bar is trivial — a single unauthenticated GET request to a known chatflow UUID is sufficient, no authentication or special knowledge required — making this a high-priority issue for any org running Flowise with public chatflows enabled. While the vulnerability is not in CISA KEV and no public exploit kit exists today, the payload (production LLM API keys, third-party service credentials, internal node architecture) is extremely high-value and the attack is silent and non-destructive, meaning it can be weaponized before defenders detect it. Upgrade to Flowise 3.1.0 immediately, rotate all credentials stored in flowData nodes, and audit server logs for unexpected GET requests to `/api/v1/public-chatflows/` and `/api/v1/public-chatbotConfig/`.

Sources: GitHub Advisory ATLAS

What is the risk?

HIGH. Exploitation requires no authentication, no specialized tools, and no AI/ML knowledge — a standard HTTP client suffices. The attack surface is any Flowise instance with at least one public chatflow, a common configuration in organizations using Flowise for customer-facing AI assistants. The impact is direct third-party credential compromise: production LLM API keys (OpenAI, Anthropic, etc.), OAuth tokens enabling account takeover chains, and database credentials for connected data stores. With 59 prior CVEs in the same package, Flowise has a documented pattern of security issues, suggesting systemic development practices that merit elevated scrutiny. The absence of CVSS scoring is a data gap, not a mitigating factor — based on the attack characteristics (network-accessible, no auth, high-value data disclosure), this maps to a CVSS 3.1 score in the 7.5–8.5 HIGH range.

How does the attack unfold?

Target Identification

Attacker discovers a publicly accessible Flowise instance via Shodan, Censys, or by inspecting network requests from a public-facing AI chatbot widget that reveals the Flowise base URL.

AML.T0006

Chatflow UUID Enumeration

Attacker observes the chatflow UUID from the public chat interface network traffic or enumerates UUIDs, then crafts a GET request to `/api/v1/public-chatflows/{uuid}`.

AML.T0049

Credential Harvesting

Unauthenticated API response returns full flowData JSON containing plaintext API keys, database passwords, and OAuth credential IDs from all configured workflow nodes.

AML.T0083

Third-Party Account Compromise

Attacker uses exfiltrated LLM API keys for cost harvesting and leverages OAuth credential IDs to perform token theft for lateral movement into connected enterprise services (Google Workspace, Slack, databases).

AML.T0012

Target Identification

Attacker discovers a publicly accessible Flowise instance via Shodan, Censys, or by inspecting network requests from a public-facing AI chatbot widget that reveals the Flowise base URL.

AML.T0006

Chatflow UUID Enumeration

Attacker observes the chatflow UUID from the public chat interface network traffic or enumerates UUIDs, then crafts a GET request to `/api/v1/public-chatflows/{uuid}`.

AML.T0049

Credential Harvesting

Unauthenticated API response returns full flowData JSON containing plaintext API keys, database passwords, and OAuth credential IDs from all configured workflow nodes.

AML.T0083

Third-Party Account Compromise

Attacker uses exfiltrated LLM API keys for cost harvesting and leverages OAuth credential IDs to perform token theft for lateral movement into connected enterprise services (Google Workspace, Slack, databases).

AML.T0012

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	<= 3.0.13	`3.1.0`

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

PATCH

Upgrade to Flowise 3.1.0 immediately. Note that even in 3.1.0 the sanitization function sanitizeFlowDataForPublicEndpoint is reportedly only applied to public-chatbotConfig — verify that public-chatflows is also patched before relying solely on the upgrade.
ROTATE

Immediately rotate all credentials (API keys, passwords, OAuth tokens) stored in any Flowise flowData nodes. Treat all credentials in Flowise ≤ 3.0.13 as compromised.
AUDIT

Review which chatflows had isPublic: true and assess whether their credentials have been accessed. Query server access logs for GET /api/v1/public-chatflows/ and GET /api/v1/public-chatbotConfig/ requests from untrusted IP ranges.
HARDEN

Disable public chatflows if not required by the use case. If public chatflows are required, place Flowise behind a WAF or reverse proxy that enforces IP allowlisting.
DESIGN

Going forward, store credentials exclusively in a secrets manager (HashiCorp Vault, AWS Secrets Manager) and reference them by ID — never store plaintext credentials in workflow node configurations.

How is it classified?

Data Extraction Auth Bypass Data Leakage Agent Framework API AML.T0002.002 - AI Agent Configuration AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

6.1.3 - AI risk assessment A.9.2 - Information security for AI systems A.9.3 - Protection of AI system assets

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place to address AI risks and trustworthiness GOVERN-6.1 - Policies and procedures for AI risk are documented and communicated MANAGE 2.2 - Mechanisms are in place to sustain deployed AI systems and manage post-deployment risks MANAGE-2.2 - Mechanisms to sustain value and security of deployed AI systems

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-w47f-j8rh-wx87?

Flowise's unauthenticated public chatflow endpoint returns complete flowData without any sanitization in versions ≤ 3.0.13, exposing plaintext API keys, database passwords, and OAuth credential IDs to anyone who can reach the instance. The exploitation bar is trivial — a single unauthenticated GET request to a known chatflow UUID is sufficient, no authentication or special knowledge required — making this a high-priority issue for any org running Flowise with public chatflows enabled. While the vulnerability is not in CISA KEV and no public exploit kit exists today, the payload (production LLM API keys, third-party service credentials, internal node architecture) is extremely high-value and the attack is silent and non-destructive, meaning it can be weaponized before defenders detect it. Upgrade to Flowise 3.1.0 immediately, rotate all credentials stored in flowData nodes, and audit server logs for unexpected GET requests to `/api/v1/public-chatflows/` and `/api/v1/public-chatbotConfig/`.

Is GHSA-w47f-j8rh-wx87 actively exploited?

No confirmed active exploitation of GHSA-w47f-j8rh-wx87 has been reported, but organizations should still patch proactively.

How to fix GHSA-w47f-j8rh-wx87?

1. PATCH: Upgrade to Flowise 3.1.0 immediately. Note that even in 3.1.0 the sanitization function `sanitizeFlowDataForPublicEndpoint` is reportedly only applied to `public-chatbotConfig` — verify that `public-chatflows` is also patched before relying solely on the upgrade. 2. ROTATE: Immediately rotate all credentials (API keys, passwords, OAuth tokens) stored in any Flowise flowData nodes. Treat all credentials in Flowise ≤ 3.0.13 as compromised. 3. AUDIT: Review which chatflows had `isPublic: true` and assess whether their credentials have been accessed. Query server access logs for `GET /api/v1/public-chatflows/` and `GET /api/v1/public-chatbotConfig/` requests from untrusted IP ranges. 4. HARDEN: Disable public chatflows if not required by the use case. If public chatflows are required, place Flowise behind a WAF or reverse proxy that enforces IP allowlisting. 5. DESIGN: Going forward, store credentials exclusively in a secrets manager (HashiCorp Vault, AWS Secrets Manager) and reference them by ID — never store plaintext credentials in workflow node configurations.

What systems are affected by GHSA-w47f-j8rh-wx87?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM API integrations, AI workflow orchestration, no-code/low-code AI builders, RAG pipelines.

What is the CVSS score for GHSA-w47f-j8rh-wx87?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM API integrationsAI workflow orchestrationno-code/low-code AI buildersRAG pipelines

MITRE ATLAS Techniques

AML.T0002.002 AI Agent Configuration

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 6.1.3, A.9.2, A.9.3

NIST AI RMF: GOVERN 6.2, GOVERN-6.1, MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

### Summary The `GET /api/v1/public-chatflows/:id` endpoint returns the full chatflow object **without sanitization** for public chatflows. Docker validation revealed this is worse than initially assessed: the `sanitizeFlowDataForPublicEndpoint` function does NOT exist in the released v3.0.13 Docker image. Both `public-chatflows` AND `public-chatbotConfig` return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. ### Root Cause ```typescript // packages/server/src/controllers/chatflows/index.ts:218-220 const chatflow = await chatflowsService.getChatflowById(req.params.id) if (!chatflow) return res.status(StatusCodes.NOT_FOUND).json(...) if (chatflow.isPublic) return res.status(StatusCodes.OK).json(chatflow) // ← NO sanitization! ``` ### Docker Validation (v3.0.13) Created public chatflow with credential IDs and passwords in flowData: ```json { "flowData": "{\"nodes\":[{\"data\":{\"credential\":\"e92a39bf-...\",\"inputs\":{\"password\":\"sk-supersecretkey123\",\"apiKey\":\"should-not-leak\"}}}]}" } ``` The `sanitizeFlowDataForPublicEndpoint` function only exists in unreleased HEAD, and even there, only `public-chatbotConfig` calls it — `public-chatflows` never does. ### Impact - **Credential IDs** leaked — enables OAuth2 token theft chain (Finding 1) - **Plaintext API keys and passwords** leaked — direct third-party account compromise - **Node configurations** leaked — reveals internal architecture and endpoint URLs - Both `public-chatflows` and `public-chatbotConfig` are affected in the released version ### Suggested Fix Apply sanitization to both public endpoints: ```typescript const sanitized = sanitizeFlowDataForPublicEndpoint(chatflow) return res.status(StatusCodes.OK).json(sanitized) ``` Ensure the sanitization function strips all `credential`, `password`, `apiKey`, and `secretKey` fields from `flowData`. --- ## References - `packages/server/src/controllers/chatflows/index.ts` lines 209-236 - `packages/server/src/utils/sanitizeFlowData.ts` lines 11-34 (exists only in unreleased HEAD) ## Credits - Shinobi Security - https://github.com/shinobisecurity

Exploitation Scenario

An attacker targeting an organization's AI-powered customer service chatbot identifies the underlying Flowise instance via Shodan, Censys, or by inspecting the chatbot widget's network requests, which typically reveal the Flowise base URL. The attacker navigates to the public chat interface, observes that it loads configuration via `/api/v1/public-chatbotConfig/{uuid}`, and makes a parallel request to `/api/v1/public-chatflows/{uuid}` using the same UUID. The response contains the full flowData JSON including the OpenAI API key used for the LLM node, a credential ID referencing stored OAuth tokens for a connected Google Drive or Slack integration, and the connection string for a PostgreSQL vector database. The attacker immediately begins using the exfiltrated OpenAI API key to run inference at the victim's expense (cost harvesting) while simultaneously using the OAuth credential ID — if Flowise's credential decryption endpoint is also accessible — to retrieve a live OAuth token for lateral movement into the victim's Google Workspace or Slack environment. The entire attack from discovery to credential exfiltration takes under five minutes and leaves no abnormal application errors in the Flowise logs.