AI Threat Alert
### Summary The `GET /api/v1/public-chatflows/:id` endpoint returns the full chatflow object **without sanitization** for public chatflows. Docker validation revealed this is worse than initially assessed: the `sanitizeFlowDataForPublicEndpoint` function does NOT exist in the released v3.0.13...
Full CISO analysis pending enrichment.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| flowise | npm | <= 3.0.13 | 3.1.0 |
Do you use flowise? You're affected.
Severity & Risk
Recommended Action
Patch available
Update flowise to version 3.1.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is GHSA-w47f-j8rh-wx87?
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
Is GHSA-w47f-j8rh-wx87 actively exploited?
No confirmed active exploitation of GHSA-w47f-j8rh-wx87 has been reported, but organizations should still patch proactively.
How to fix GHSA-w47f-j8rh-wx87?
Update to patched version: flowise 3.1.0.
What is the CVSS score for GHSA-w47f-j8rh-wx87?
No CVSS score has been assigned yet.
Technical Details
NVD Description
### Summary The `GET /api/v1/public-chatflows/:id` endpoint returns the full chatflow object **without sanitization** for public chatflows. Docker validation revealed this is worse than initially assessed: the `sanitizeFlowDataForPublicEndpoint` function does NOT exist in the released v3.0.13 Docker image. Both `public-chatflows` AND `public-chatbotConfig` return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. ### Root Cause ```typescript // packages/server/src/controllers/chatflows/index.ts:218-220 const chatflow = await chatflowsService.getChatflowById(req.params.id) if (!chatflow) return res.status(StatusCodes.NOT_FOUND).json(...) if (chatflow.isPublic) return res.status(StatusCodes.OK).json(chatflow) // ← NO sanitization! ``` ### Docker Validation (v3.0.13) Created public chatflow with credential IDs and passwords in flowData: ```json { "flowData": "{\"nodes\":[{\"data\":{\"credential\":\"e92a39bf-...\",\"inputs\":{\"password\":\"sk-supersecretkey123\",\"apiKey\":\"should-not-leak\"}}}]}" } ``` The `sanitizeFlowDataForPublicEndpoint` function only exists in unreleased HEAD, and even there, only `public-chatbotConfig` calls it — `public-chatflows` never does. ### Impact - **Credential IDs** leaked — enables OAuth2 token theft chain (Finding 1) - **Plaintext API keys and passwords** leaked — direct third-party account compromise - **Node configurations** leaked — reveals internal architecture and endpoint URLs - Both `public-chatflows` and `public-chatbotConfig` are affected in the released version ### Suggested Fix Apply sanitization to both public endpoints: ```typescript const sanitized = sanitizeFlowDataForPublicEndpoint(chatflow) return res.status(StatusCodes.OK).json(sanitized) ``` Ensure the sanitization function strips all `credential`, `password`, `apiKey`, and `secretKey` fields from `flowData`. --- ## References - `packages/server/src/controllers/chatflows/index.ts` lines 209-236 - `packages/server/src/utils/sanitizeFlowData.ts` lines 11-34 (exists only in unreleased HEAD) ## Credits - Shinobi Security - https://github.com/shinobisecurity
References
Timeline
Related Vulnerabilities
CVE-2026-40933 10.0 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-30824 9.8 Flowise: auth bypass exposes NVIDIA NIM container endpoints
Same package: flowise CVE-2026-30821 9.8 flowise: Arbitrary File Upload enables RCE
Same package: flowise