GHSA-V5W9-PRXF-W882

Vulnerability from github – Published: 2025-11-17 19:06 – Updated: 2025-11-17 19:06
VLAI
Summary
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
Details

Summary

An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authentication.

Details

Critical vulnerability in Flowise 3.0.1 on-premise deployment allows unauthenticated attackers to exploit the /api/v1/account/register endpoint to add a new user and log in using it, enabling authentication bypass.

Meaning that the register functionality is by default open, allowing attackers to create an account and use the api without any restrictions or credentials.

PoC

A Flowise 3.0.1 instance was deployed via Docker for the purpose of this demonstration. 1 Docker

After successful deployment the instance setup organization page allows us to register the first account in the system. 1 newly deployed instance

Creating the first user research@evasec.io 2 configuring account

Login to the account 2 Login

The background request that created the first user to /api/v1/account/register 3 request

Response 3 1 response

We have found that it is possible to reuse the registration request multiple times without any restrictions to create an account and authenticate to the system using it.

Crafting a new request { "user": { "name": "Malicious", "email": "attacker@attack.io", "type": "pro", "credential": "Password123!" } } 4 attacker new register

Response with 201 code “Created” 4 1 created

Login using newly created user (attacker) 5 Login using attacker

Success login 6 Susccess auth bypass

An unauthorized user can exploit this vulnerability to register an account and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication.

Impact

This is an authentication bypass vulnerability caused by an unprotected registration endpoint (/register).

Users of Flowise 3.0.1(latest) on-premise deployments are impacted. An unauthorized attacker can exploit this vulnerability to register an account after the organization set has been completed, and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "versions": [
        "3.0.1"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-17T19:06:09Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nAn unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authentication.\n### Details\nCritical vulnerability in Flowise 3.0.1 on-premise deployment allows unauthenticated attackers to exploit the /api/v1/account/register endpoint to add a new user and log in using it, enabling authentication bypass.\n\nMeaning that the register functionality is by default open, allowing attackers to create an account and use the api without any restrictions or credentials.\n\n### PoC\nA Flowise 3.0.1 instance was deployed via Docker for the purpose of this demonstration.\n![1 Docker](https://github.com/user-attachments/assets/fb0b8627-63e3-4523-881f-a0ff6352b678)\n\nAfter successful deployment the instance setup organization page allows us to register the first account in the system.\n![1 newly deployed instance](https://github.com/user-attachments/assets/39d56738-eb97-469e-b96e-61cd7cec64a8)\n\nCreating the first user [research@evasec.io](mailto:research@evasec.io)\n![2 configuring account](https://github.com/user-attachments/assets/5fb94b35-c180-4d77-b209-dcff7043c457)\n\nLogin to the account\n![2 Login](https://github.com/user-attachments/assets/557e8268-099a-4519-bf86-b96a7c5f19ff)\n\nThe background request that created the first user to /api/v1/account/register \n![3 request](https://github.com/user-attachments/assets/b74b876d-b784-4142-9d46-10e90ff1b780)\n\nResponse\n![3 1 response](https://github.com/user-attachments/assets/db769da7-d241-4f0b-a99f-821fa5fdcf05)\n\nWe have found that it is possible to reuse the registration request multiple times without any restrictions to create an account and authenticate to the system using it.\n\nCrafting a new request \n{\n    \"user\": {\n        \"name\": \"Malicious\",\n        \"email\": \"attacker@attack.io\", \n        \"type\": \"pro\",\n        \"credential\": \"Password123!\"\n    }\n}\n![4 attacker new register](https://github.com/user-attachments/assets/ee34b9f9-7e03-4198-affa-cf2dd2f84666)\n\nResponse with 201 code \u201cCreated\u201d\n![4 1 created](https://github.com/user-attachments/assets/e2a49518-1566-4fe0-9cc5-2a496265974a)\n\nLogin using newly created user (attacker)\n![5 Login using attacker](https://github.com/user-attachments/assets/b6ef7eb2-d388-469d-92d7-0ca50cdd9873)\n\nSuccess login\n![6 Susccess auth bypass](https://github.com/user-attachments/assets/044376d8-f9c5-4de7-a53c-05dd2c66de83)\n\n\nAn unauthorized user can exploit this vulnerability to register an account and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication. \n### Impact\n\nThis is an authentication bypass vulnerability caused by an unprotected registration endpoint (/register).\n\nUsers of Flowise 3.0.1(latest) on-premise deployments are impacted. An unauthorized attacker can exploit this vulnerability to register an account after the organization set has been completed, and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication.",
  "id": "GHSA-v5w9-prxf-w882",
  "modified": "2025-11-17T19:06:09Z",
  "published": "2025-11-17T19:06:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v5w9-prxf-w882"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…