CVE-2026-30820

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13	Product Release Notes
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*

History

11 Mar 2026, 13:46

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:flowiseai:flowise::::::::
First Time		Flowiseai Flowiseai flowise
References	~~() https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 -~~	() https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 - Product, Release Notes
References	~~() https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq -~~	() https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq - Exploit, Vendor Advisory
Summary		(es) Flowise es una interfaz de usuario de arrastrar y soltar para construir un flujo de modelo de lenguaje grande personalizado. Antes de la versión 3.0.13, Flowise confía en cualquier cliente HTTP que establezca el encabezado x-request-from: internal, permitiendo que una sesión de inquilino autenticada omita todas las comprobaciones de autorización de /api/v1/**. Con solo una cookie de navegador, un inquilino de bajo privilegio puede invocar puntos finales de administración internos (gestión de claves API, almacenes de credenciales, ejecución de funciones personalizadas, etc.), escalando privilegios de manera efectiva. Este problema ha sido parcheado en la versión 3.0.13.

07 Mar 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 05:16

Updated : 2026-03-11 13:46

NVD link : CVE-2026-30820

Mitre link : CVE-2026-30820

CVE.ORG link : CVE-2026-30820

JSON object : View

Products Affected

flowiseai

flowise

CWE

CWE-863

Incorrect Authorization

8.8 /10