CVE-2026-8026
Information Disclosure in FlowiseAI Flowise API Response Handler
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flowiseai | flowise | to 3.0.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in FlowiseAI Flowise versions up to 3.0.12, specifically in the Login function of the API Response Handler component. It allows an attacker to remotely manipulate the system to disclose information that should be protected.
The attack is considered difficult to execute due to its high complexity level.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized information disclosure, meaning sensitive data could be exposed to attackers without proper authorization.
Since the attack can be launched remotely, it increases the risk of exploitation from outside the network.
However, the exploitability is difficult, which may reduce the likelihood of successful attacks.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade the affected component, FlowiseAI Flowise, to a version later than 3.0.12.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in FlowiseAI Flowise up to version 3.0.12 exposes sensitive user information, including bcrypt password hashes, tempToken, and tokenExpiry, through API endpoints. This information disclosure can lead to credential stuffing, lateral movement, or privilege escalation if passwords are cracked or reused.
Such exposure of sensitive personal data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information to prevent unauthorized access and data breaches.
Organizations using the affected software may face increased risk of violating these regulations due to inadequate protection of user credentials and personal data, potentially leading to legal and financial consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring API responses from the Flowise server, specifically the endpoints `/api/v1/account/login` and `/api/v1/account/invite`.
If these endpoints return JSON responses containing sensitive fields such as bcrypt password hashes, tempToken, or tokenExpiry, it indicates the presence of the vulnerability.
To detect this on your system, you can use command-line tools like curl to send requests and inspect the responses.
- curl -X POST https://<flowise-server>/api/v1/account/login -d '{"email":"[email protected]","password":"password"}' -H 'Content-Type: application/json' -i
- curl -X POST https://<flowise-server>/api/v1/account/invite -d '{"email":"[email protected]"}' -H 'Content-Type: application/json' -i
Examine the JSON responses for any exposed bcrypt hashes or tokens. Presence of these sensitive fields confirms the vulnerability.