CVE-2026-56270
Analyzed Analyzed - Analysis Complete

Missing Authentication in Flowise Exposes SSO Secrets

Vulnerability report for CVE-2026-56270, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: VulnCheck

Description

Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter. Remote attackers can send a GET request to harvest sensitive API credentials for Google, Microsoft/Azure, GitHub, and Auth0 integrations. This affects FlowiseAI Cloud and self-hosted instances where the endpoint is exposed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive OAuth client secrets in cleartext, which can lead to unauthorized access to third-party integrations and potential data breaches.

Such unauthorized disclosure of sensitive credentials can result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding of sensitive information and ensuring proper access controls.

Failure to protect these secrets may lead to non-compliance with these standards due to inadequate authentication and exposure of sensitive data.

Executive Summary

CVE-2026-56270 is a vulnerability in Flowise versions 3.0.13 and earlier where the /api/v1/loginmethod endpoint does not require authentication.

This allows unauthenticated users to send a GET request with an organizationId parameter and retrieve the organization's complete Single Sign-On (SSO) configuration.

The sensitive information exposed includes OAuth client secrets in cleartext for integrations such as Google, Microsoft/Azure, GitHub, and Auth0.

This flaw affects both FlowiseAI Cloud and self-hosted instances where the vulnerable endpoint is accessible.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive OAuth client secrets, which can be exploited by remote attackers.

Attackers can use these credentials to compromise third-party integrations such as Google, Microsoft/Azure, GitHub, and Auth0.

Such compromise can result in unauthorized access to organizational resources, data breaches, and potential further exploitation of connected systems.

Detection Guidance

This vulnerability can be detected by sending an unauthenticated GET request to the /api/v1/loginmethod endpoint with an organizationId parameter and checking if the response contains sensitive OAuth client secrets in cleartext.

A simple command to test this on a system or network where Flowise versions 3.0.13 or earlier are running is:

  • curl -X GET 'http://<target-host>/api/v1/loginmethod?organizationId=<org-id>'

If the response returns OAuth client secrets or SSO configuration data without requiring authentication, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.1.0 or later, where this vulnerability has been patched.

Additionally, restrict access to the /api/v1/loginmethod endpoint to trusted and authenticated users only, ensuring it is not exposed publicly without authentication.

If upgrading immediately is not possible, consider implementing network-level controls such as firewall rules or API gateway protections to block unauthenticated access to this endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart