Executive Summary

CVE-2026-46443 is a high-severity vulnerability in Flowise, a drag & drop user interface for building customized large language model flows. The vulnerability occurs in versions 3.1.1 and earlier when credentials are fetched using a credentialName filter parameter. In this case, the encryptedData field, which contains sensitive encrypted credential information, is improperly exposed in the response. Normally, this field is omitted when no filter is used, but the filtering logic fails to exclude it, allowing authenticated users to access encrypted credential data.

If an attacker also obtains access to the encryption key file (usually located at ~/.flowise/encryption.key), they can decrypt and steal sensitive credentials such as API keys, passwords, and tokens for services like OpenAI or AWS. The vulnerability has a CVSS score of 7.0, indicating high severity, and can be exploited remotely with low privileges and no user interaction. This issue was fixed in Flowise version 3.1.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive credential data, including API keys, passwords, and tokens used by Flowise to access external services like OpenAI or AWS.

If an attacker exploits this flaw and also gains access to the encryption key file, they can decrypt these credentials, potentially leading to further compromise of connected services and data.

Because the attack requires only low privileges and no user interaction, it poses a significant risk of credential theft and subsequent unauthorized access to critical systems or data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Flowise installation is running a version prior to 3.1.2 and by testing whether the encryptedData field is exposed when fetching credentials using the credentialName filter parameter.

You can attempt to detect the vulnerability by making an authenticated API request to the credentials endpoint with a credentialName filter and inspecting the response for the presence of the encryptedData field.

For example, using curl (replace placeholders accordingly):

• curl -H "Authorization: Bearer <your_token>" "http://<flowise_host>/api/credentials?credentialName=<name>"

If the response contains the encryptedData field, your system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.1.2 or later, where this vulnerability has been patched.

Additionally, restrict access to the encryption key file located at ~/.flowise/encryption.key to prevent attackers from decrypting any exposed encryptedData.

Limit authenticated user privileges to reduce the risk of exploitation, as the vulnerability requires low privileges but authenticated access.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes encrypted credential data such as API keys, passwords, and tokens to authenticated users due to improper filtering of sensitive fields. If an attacker obtains the encryption key, they can decrypt and steal these credentials.

Such unauthorized exposure and potential theft of sensitive credential information can lead to violations of data protection standards and regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive data and credentials.

Therefore, this vulnerability could negatively impact compliance by increasing the risk of unauthorized data access and potential data breaches.

Useful 0 Not Useful 0