Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30823 is a critical vulnerability in the Flowise platform affecting versions up to 3.0.12. It is an Insecure Direct Object Reference (IDOR) combined with a business logic flaw in the PUT /api/v1/loginmethod endpoint. Although this endpoint requires authentication, it does not verify whether the authenticated user has ownership or administrative rights over the specified organizationId in the request body.'}, {'type': 'paragraph', 'content': 'This lack of authorization checking allows low-privileged users, including those on the Free plan, to overwrite the Single Sign-On (SSO) configuration of any organization by specifying its organizationId. They can enable Enterprise-only features such as SSO/SAML without having the required license and perform account takeover by redirecting the authentication flow to attacker-controlled OAuth credentials.'}, {'type': 'paragraph', 'content': "Technically, the backend accepts an organizationId parameter in the JSON payload and updates the corresponding database record without verifying that the requester's organizationId matches the target organizationId. There is no middleware or logic enforcing this ownership check."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including account takeover and license bypass.

• Account Takeover: Attackers can replace legitimate OAuth credentials with their own, causing victim employees to authenticate against attacker-controlled applications, enabling session hijacking or credential theft.
• License Bypass: Users on the Free tier can illicitly enable and configure SSO providers and other Enterprise-only features without possessing the required license.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Flowise instance is running a version prior to 3.0.13 and by testing the PUT /api/v1/loginmethod endpoint for improper authorization checks.'}, {'type': 'paragraph', 'content': 'A possible detection method involves sending an authenticated PUT request to /api/v1/loginmethod with an organizationId that does not belong to the authenticated user and observing if the server accepts and applies the changes.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (replace <JWT_TOKEN>, <VICTIM_ORG_ID>, and attacker OAuth credentials accordingly):'}, {'type': 'list_item', 'content': 'curl -X PUT https://<flowise-server>/api/v1/loginmethod -H "Authorization: Bearer <JWT_TOKEN>" -H "Content-Type: application/json" -d \'{"organizationId": "<VICTIM_ORG_ID>", "provider": "google", "clientId": "attacker-client-id", "clientSecret": "attacker-client-secret"}\''}, {'type': 'paragraph', 'content': 'If the server responds with HTTP 200 OK and applies the changes, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Flowise platform to version 3.0.13 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict access to the PUT /api/v1/loginmethod endpoint to only trusted administrators and monitor for suspicious activity involving changes to SSO configurations.

Additionally, review OAuth provider configurations for unauthorized changes and reset any compromised credentials.

Useful 0 Not Useful 0