GHSA-x5w6-38gp-mrqh — HIGH AI Security Vulnerability

Q: Is GHSA-x5w6-38gp-mrqh actively exploited?

No confirmed active exploitation of GHSA-x5w6-38gp-mrqh has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-x5w6-38gp-mrqh?

1. Patch immediately: upgrade Flowise to 3.1.0 which resolves the HTTP link generation. 2. Interim control: enforce VPN-only access to Flowise cloud for all users until patched. 3. Rotate credentials: audit and rotate all LLM API keys, database credentials, and API tokens stored in Flowise agent configurations, especially for any accounts that used password reset on untrusted networks. 4. Detection: monitor authentication logs for password reset events followed within 15 minutes by logins from new IP addresses or geolocations. 5. Long-term: implement HSTS headers across all Flowise endpoints; audit all transactional emails for HTTP protocol usage in links.

Q: What systems are affected by GHSA-x5w6-38gp-mrqh?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration, no-code AI platforms.

Q: What is the CVSS score for GHSA-x5w6-38gp-mrqh?

No CVSS score has been assigned yet.

CISO Take

Flowise's cloud platform sends password reset tokens over unencrypted HTTP, making them trivially interceptable on any shared network segment. An attacker performing passive traffic sniffing or ARP poisoning on the same Wi-Fi as a victim can capture the reset token and fully take over the account without any prior authentication. Flowise is a no-code AI agent builder that stores LLM API keys, database connection strings, and proprietary workflow logic — account compromise translates directly to exposure of an organization's entire AI orchestration layer. No public exploit or active exploitation is known, but the attack requires only Wireshark and network adjacency — well within script-kiddie capability. Patch to Flowise 3.1.0 immediately; until deployed, mandate VPN for all Flowise cloud access and audit stored credentials in any compromised accounts.

Sources: GitHub Advisory ATLAS

Risk Assessment

Moderate-high. The MITM requirement limits scalability compared to unauthenticated remote exploits, but public and shared corporate Wi-Fi make network adjacency realistic for traveling enterprise users. The exploit is technically trivial (passive sniffing, no AI/ML knowledge required) and the impact ceiling is high: a compromised Flowise account exposes the entire AI pipeline it orchestrates. With 37 prior CVEs in the same package, Flowise has a demonstrated security debt that warrants elevated scrutiny.

Attack Kill Chain

Network Positioning

Attacker gains MITM position on shared network via passive Wi-Fi monitoring or active ARP poisoning targeting the victim's device.

AML.T0006

Reset Token Interception

Victim requests a Flowise password reset; the HTTP reset link is captured in cleartext by the attacker's traffic sniffer before the victim clicks it.

AML.T0055

Account Takeover

Attacker uses the intercepted reset token to complete password reset and authenticate to the victim's Flowise account.

AML.T0012

Credential Harvest

Attacker extracts LLM API keys, database connection strings, and workflow configurations stored within the compromised Flowise account.

AML.T0083

Network Positioning

Attacker gains MITM position on shared network via passive Wi-Fi monitoring or active ARP poisoning targeting the victim's device.

AML.T0006

Reset Token Interception

Victim requests a Flowise password reset; the HTTP reset link is captured in cleartext by the attacker's traffic sniffer before the victim clicks it.

AML.T0055

Account Takeover

Attacker uses the intercepted reset token to complete password reset and authenticate to the victim's Flowise account.

AML.T0012

Credential Harvest

Attacker extracts LLM API keys, database connection strings, and workflow configurations stored within the compromised Flowise account.

AML.T0083

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.0.13	`3.1.0`

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

5 steps

Patch immediately: upgrade Flowise to 3.1.0 which resolves the HTTP link generation.
Interim control: enforce VPN-only access to Flowise cloud for all users until patched.
Rotate credentials: audit and rotate all LLM API keys, database credentials, and API tokens stored in Flowise agent configurations, especially for any accounts that used password reset on untrusted networks.
Detection: monitor authentication logs for password reset events followed within 15 minutes by logins from new IP addresses or geolocations.
Long-term: implement HSTS headers across all Flowise endpoints; audit all transactional emails for HTTP protocol usage in links.

Classification

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Information security for AI systems

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is GHSA-x5w6-38gp-mrqh?

Flowise's cloud platform sends password reset tokens over unencrypted HTTP, making them trivially interceptable on any shared network segment. An attacker performing passive traffic sniffing or ARP poisoning on the same Wi-Fi as a victim can capture the reset token and fully take over the account without any prior authentication. Flowise is a no-code AI agent builder that stores LLM API keys, database connection strings, and proprietary workflow logic — account compromise translates directly to exposure of an organization's entire AI orchestration layer. No public exploit or active exploitation is known, but the attack requires only Wireshark and network adjacency — well within script-kiddie capability. Patch to Flowise 3.1.0 immediately; until deployed, mandate VPN for all Flowise cloud access and audit stored credentials in any compromised accounts.

Is GHSA-x5w6-38gp-mrqh actively exploited?

No confirmed active exploitation of GHSA-x5w6-38gp-mrqh has been reported, but organizations should still patch proactively.

How to fix GHSA-x5w6-38gp-mrqh?

1. Patch immediately: upgrade Flowise to 3.1.0 which resolves the HTTP link generation. 2. Interim control: enforce VPN-only access to Flowise cloud for all users until patched. 3. Rotate credentials: audit and rotate all LLM API keys, database credentials, and API tokens stored in Flowise agent configurations, especially for any accounts that used password reset on untrusted networks. 4. Detection: monitor authentication logs for password reset events followed within 15 minutes by logins from new IP addresses or geolocations. 5. Long-term: implement HSTS headers across all Flowise endpoints; audit all transactional emails for HTTP protocol usage in links.

What systems are affected by GHSA-x5w6-38gp-mrqh?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration, no-code AI platforms.

What is the CVSS score for GHSA-x5w6-38gp-mrqh?

No CVSS score has been assigned yet.

Technical Details

NVD Description

**Summary:** The password reset functionality on [cloud.flowiseai.com](http://cloud.flowiseai.com/) sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. **Steps to Reproduce:** 1. Sign up for a new account on https://cloud.flowiseai.com/register. 2. Navigate to the https://cloud.flowiseai.com/forgot-password page and enter your email. 3. Open your inbox and locate the password reset email. 4. Copy the reset link and inspect its protocol – it uses http:// instead of https://. **POC:** http://[url6444.mail.flowiseai.com/ls/click?upn=u001.wa3d8yQsDRACvrFO3KPOeg4btvV98-2FRrNXRtYO9s9CtK622C9ChG4-2BvVg73Tvckl-2B5NZdaQcY4lfu7-2FJ5x9CldlKHZK4mop-2Bv-2FhMDPBX-2FtRDjG7vM-2FSMz1nPIQL3FS94nJSjGnZOW38kMxxMCP92yr092lV1KNGMVDr8xaCpM3k-3D1zEv_0Wzb2YTtJ6lxixf7gbrDfWWVoz-2B4mHPzoyxr9IPI-2Fas8GiBp1THEcPQTeIcCYlgaV0UaD8Y2wiA4ZRRCAp-2BjS0SMkthmibNAiBs2GZjXIaV-2F2wTIaJJdFXWkhTB-2Fc8hJjDhpLnRfayLJ5HyG9gftPNPM-2F9t9DvyHB-2FYLpZzAvou6jB8Nr-2BBFjyWBFrNq0g6su6i-2BwFySXSA-2Bzyg94PQKOA-3D-3D](http://url6444.mail.flowiseai.com/ls/click?upn=u001.wa3d8yQsDRACvrFO3KPOeg4btvV98-2FRrNXRtYO9s9CtK622C9ChG4-2BvVg73Tvckl-2B5NZdaQcY4lfu7-2FJ5x9CldlKHZK4mop-2Bv-2FhMDPBX-2FtRDjG7vM-2FSMz1nPIQL3FS94nJSjGnZOW38kMxxMCP92yr092lV1KNGMVDr8xaCpM3k-3D1zEv_0Wzb2YTtJ6lxixf7gbrDfWWVoz-2B4mHPzoyxr9IPI-2Fas8GiBp1THEcPQTeIcCYlgaV0UaD8Y2wiA4ZRRCAp-2BjS0SMkthmibNAiBs2GZjXIaV-2F2wTIaJJdFXWkhTB-2Fc8hJjDhpLnRfayLJ5HyG9gftPNPM-2F9t9DvyHB-2FYLpZzAvou6jB8Nr-2BBFjyWBFrNq0g6su6i-2BwFySXSA-2Bzyg94PQKOA-3D-3D) **Impact:** If a victim receives this insecure link and uses it over an untrusted network, an attacker can sniff the traffic and capture the reset token. This allows the attacker to hijack the victim's password reset session, potentially compromising their account. **Mitigation:** Ensure all sensitive URLs, especially password reset links, are generated and transmitted over secure https:// endpoints only. **Best Practice:** Use HTTPS in all password-related email links. Implement HSTS (HTTP Strict Transport Security) to enforce secure connections.

Exploitation Scenario

Attacker positions on a shared network (hotel Wi-Fi, conference venue) and begins passive HTTP traffic capture or active ARP poisoning. Target is a DevOps engineer with a Flowise account managing production AI pipelines. Attacker either waits for the victim to request a password reset organically, or socially engineers them ('you need to re-authenticate your Flowise account'). When the victim clicks the HTTP reset link from their email client, the full reset URL including the token is transmitted in cleartext. Attacker completes the password reset, logs in, and extracts LLM API keys and database credentials from the agent configurations — gaining lateral access to production AI infrastructure without ever touching the target machine.