Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30820 is an authorization bypass vulnerability in Flowise versions prior to 3.0.13. The issue occurs because Flowise trusts any HTTP request that includes the header 'x-request-from: internal' as coming from an internal client, bypassing all authorization checks on the /api/v1/** routes."}, {'type': 'paragraph', 'content': 'This means that an authenticated tenant with only a browser session cookie can add this spoofed header to API requests and gain unauthorized access to internal administration endpoints such as API key management, credential stores, and custom function execution.'}, {'type': 'paragraph', 'content': 'The vulnerability allows low-privilege users to escalate their privileges and potentially compromise the system. It was patched in Flowise version 3.0.13.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows low-privilege authenticated users to bypass authorization controls and access sensitive internal administration functions.

• Privilege escalation from low-privilege tenant to administrative level.
• Unauthorized management of API keys, which could lead to further unauthorized access.
• Access to credential stores, potentially exposing sensitive information.
• Execution of custom functions, which could be exploited for remote code execution or other malicious activities.

Overall, this vulnerability can lead to a full system compromise if combined with other vulnerabilities.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API requests to Flowise endpoints under /api/v1/** that include the HTTP header x-request-from: internal. Such requests indicate attempts to bypass authorization checks.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and inspect HTTP traffic to identify requests containing the spoofed header x-request-from: internal combined with authenticated session cookies.'}, {'type': 'list_item', 'content': 'Use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests with the header x-request-from: internal.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture such traffic: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -i 'x-request-from: internal'"}, {'type': 'list_item', 'content': 'Alternatively, use curl or HTTP client tools to test the presence of the vulnerability by sending requests with and without the header and observing authorization behavior.'}, {'type': 'list_item', 'content': "Example curl command to test privilege escalation: curl -v -H 'x-request-from: internal' --cookie 'session=<valid_cookie>' -X POST https://<flowise_host>/api/v1/apikey"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.0.13 or later, where this authorization bypass vulnerability has been patched.

Until the upgrade can be performed, restrict access to the Flowise API endpoints to trusted networks and users, and monitor for suspicious requests containing the x-request-from: internal header.

Additionally, review and harden authentication and authorization middleware to ensure that the presence of the x-request-from header does not bypass permission checks.

Useful 0 Not Useful 0