GHSA-4JPM-CGX2-8H37

Vulnerability from github – Published: 2026-04-16 21:44 – Updated: 2026-04-16 21:44
VLAI?
Summary
Flowise: Sensitive Data Leak in public-chatbotConfig
Details

Summary

/api/v1/public-chatbotConfig/:idep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.

Details

Knowledge of chatflow UUID can be obtained from embedded chat widgets, referrer headers or logs and it's the only prerequest.

getSinglePublicChatbotConfig function in packages/server/src/services/chatflows/index.ts returns the full flowData object without authorization check or data sanitization.

There is a comment as "Safe as public endpoint as chatbotConfig doesn't contain sensitive credential" but flowData does contain sensitive data such as:

type: 'password' fields are stored in plaintext (unstructuredAPIKey in S3File node). HTTP Authorization headers in POST / GET Requests nodes. Internal API endpoints and webhook URLs.

PoC

  • Add an S3 File node, set "File Processing Method" to "Unstructured".
  • Enter an API key in "Unstructured API KEY" field or add a Requests Post node with Authorization header.
  • Save the chatflow.

curl -s "https://localhost/api/v1/public-chatbotConfig/{CHATFLOW_UUID}"

Response:

{
  "flowData": "{...\"unstructuredAPIKey\":\"victim_key\"...\"requestsPostHeaders\":\"Bearer victim_token\"...}"
}

Impact

Impacts all Flowise Cloud users with chatflows containing password type fields or any HTTP headers. And self hosted Flowise instances exposed to the internet.

Severity ?
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-522",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:44:49Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`/api/v1/public-chatbotConfig/:id `ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.\n\n### Details\n\nKnowledge of chatflow UUID can be obtained from embedded chat widgets, referrer headers or logs and it\u0027s the only prerequest. \n\n`getSinglePublicChatbotConfig` function in `packages/server/src/services/chatflows/index.ts` returns the full **flowData** object without authorization check or data sanitization.\n\nThere is a comment as **\"Safe as public endpoint as chatbotConfig doesn\u0027t contain sensitive credential\"** but **flowData** does contain sensitive data such as:\n\n`type: \u0027password\u0027` fields are stored in plaintext (unstructuredAPIKey in S3File node).\nHTTP Authorization headers in POST / GET Requests nodes.\nInternal API endpoints and webhook URLs.\n\n### PoC\n\n- Add an S3 File node, set \"File Processing Method\" to \"Unstructured\".\n- Enter an API key in \"Unstructured API KEY\" field or add a Requests Post node with Authorization header.\n- Save the chatflow.\n\n`curl -s \"https://localhost/api/v1/public-chatbotConfig/{CHATFLOW_UUID}\"`\n\nResponse:\n\n```\n{\n  \"flowData\": \"{...\\\"unstructuredAPIKey\\\":\\\"victim_key\\\"...\\\"requestsPostHeaders\\\":\\\"Bearer victim_token\\\"...}\"\n}\n```\n\n### Impact\n\nImpacts all Flowise Cloud users with chatflows containing password type fields or any HTTP headers. And self hosted Flowise instances exposed to the internet.",
  "id": "GHSA-4jpm-cgx2-8h37",
  "modified": "2026-04-16T21:44:49Z",
  "published": "2026-04-16T21:44:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-4jpm-cgx2-8h37"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: Sensitive Data Leak in public-chatbotConfig "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.