CVE-2026-8026
Analyzed Analyzed - Analysis Complete
Information Disclosure in FlowiseAI Flowise API Response Handler

Publication date: 2026-05-06

Last updated on: 2026-05-07

Assigner: VulDB

Description
A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-8026
EUVD
EUVD-2026-27824
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.0.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw found in FlowiseAI Flowise versions up to 3.0.12, specifically in the Login function of the API Response Handler component. It allows an attacker to remotely manipulate the system to disclose information that should be protected.

The attack is considered difficult to execute due to its high complexity level.

Impact Analysis

The vulnerability can lead to unauthorized information disclosure, meaning sensitive data could be exposed to attackers without proper authorization.

Since the attack can be launched remotely, it increases the risk of exploitation from outside the network.

However, the exploitability is difficult, which may reduce the likelihood of successful attacks.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the affected component, FlowiseAI Flowise, to a version later than 3.0.12.

Compliance Impact

The vulnerability in FlowiseAI Flowise up to version 3.0.12 exposes sensitive user information, including bcrypt password hashes, tempToken, and tokenExpiry, through API endpoints. This information disclosure can lead to credential stuffing, lateral movement, or privilege escalation if passwords are cracked or reused.

Such exposure of sensitive personal data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information to prevent unauthorized access and data breaches.

Organizations using the affected software may face increased risk of violating these regulations due to inadequate protection of user credentials and personal data, potentially leading to legal and financial consequences.

Detection Guidance

This vulnerability can be detected by monitoring API responses from the Flowise server, specifically the endpoints `/api/v1/account/login` and `/api/v1/account/invite`.

If these endpoints return JSON responses containing sensitive fields such as bcrypt password hashes, tempToken, or tokenExpiry, it indicates the presence of the vulnerability.

To detect this on your system, you can use command-line tools like curl to send requests and inspect the responses.

  • curl -X POST https://<flowise-server>/api/v1/account/login -d '{"email":"[email protected]","password":"password"}' -H 'Content-Type: application/json' -i
  • curl -X POST https://<flowise-server>/api/v1/account/invite -d '{"email":"[email protected]"}' -H 'Content-Type: application/json' -i

Examine the JSON responses for any exposed bcrypt hashes or tokens. Presence of these sensitive fields confirms the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8026. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart