Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Wed, 17 Jun 2026 22:21:10 +0000 69757276-81d3-4d55-99a5-441bad9a1a34 https://vulnerability.circl.lu/sighting/69757276-81d3-4d55-99a5-441bad9a1a34/export {"uuid": "69757276-81d3-4d55-99a5-441bad9a1a34", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-C2C9-MFW7-P8HW", "type": "seen", "source": "https://gist.github.com/alon710/feabaa614915bfed4bc482d4a78d8681", "content": "# GHSA-C2C9-MFW7-P8HW: GHSA-C2C9-MFW7-P8HW: Cross-Workspace Chatflow Disclosure in Flowise\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-20\n> **Full Report:** https://cvereports.com/reports/GHSA-C2C9-MFW7-P8HW\n\n## Summary\nAn Incorrect Authorization vulnerability in Flowise versions up to 3.1.1 allows cross-workspace information disclosure. The `/api/v1/chatflows/apikey/:apikey` endpoint fails to scope database queries by workspace, exposing unprotected chatflow configurations, LLM prompts, and application metadata across the entire instance.\n\n## TL;DR\nFlowise <= 3.1.1 contains a flaw in API key authorization where a valid API key from any workspace can be used to read all unprotected chatflows from all other workspaces on the same instance. Administrators must upgrade to version 3.1.2 to resolve this data leakage.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-863 (Incorrect Authorization)\n- **Attack Vector**: Network / Remote\n- **CVSS Score**: 5.3 (Medium)\n- **Privileges Required**: Low (Valid API Key)\n- **Impact**: Cross-Workspace Information Disclosure\n- **Exploit Status**: Proof of Concept available\n\n## Affected Systems\n\n- Flowise <= 3.1.1\n- **Flowise**: <= 3.1.1 (Fixed in: `3.1.2`)\n\n## Mitigation\n\n- Upgrade to a patched version of Flowise (>= 3.1.2)\n- Enable individual password protection on all sensitive chatflows\n- Restrict API access via WAF or reverse proxy filtering\n\n**Remediation Steps:**\n1. Verify the current version of the Flowise deployment.\n2. Update the `flowise` npm package to version 3.1.2 or later.\n3. Restart the Flowise service to apply changes.\n4. Audit all existing chatflows and verify no hardcoded credentials exist within node configurations.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/advisories/GHSA-c2c9-mfw7-p8hw)\n- [Flowise Security Overview](https://github.com/FlowiseAI/Flowise/security)\n- [OSV Database Entry](https://osv.dev/vulnerability/GHSA-c2c9-mfw7-p8hw)\n- [GitLab Advisory Database](https://advisories.gitlab.com/advisories/GHSA-c2c9-mfw7-p8hw)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-C2C9-MFW7-P8HW) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-21T05:40:51.000000Z"} {"uuid": "69757276-81d3-4d55-99a5-441bad9a1a34", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-C2C9-MFW7-P8HW", "type": "seen", "source": "https://gist.github.com/alon710/feabaa614915bfed4bc482d4a78d8681", "content": "# GHSA-C2C9-MFW7-P8HW: GHSA-C2C9-MFW7-P8HW: Cross-Workspace Chatflow Disclosure in Flowise\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-20\n> **Full Report:** https://cvereports.com/reports/GHSA-C2C9-MFW7-P8HW\n\n## Summary\nAn Incorrect Authorization vulnerability in Flowise versions up to 3.1.1 allows cross-workspace information disclosure. The `/api/v1/chatflows/apikey/:apikey` endpoint fails to scope database queries by workspace, exposing unprotected chatflow configurations, LLM prompts, and application metadata across the entire instance.\n\n## TL;DR\nFlowise <= 3.1.1 contains a flaw in API key authorization where a valid API key from any workspace can be used to read all unprotected chatflows from all other workspaces on the same instance. Administrators must upgrade to version 3.1.2 to resolve this data leakage.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-863 (Incorrect Authorization)\n- **Attack Vector**: Network / Remote\n- **CVSS Score**: 5.3 (Medium)\n- **Privileges Required**: Low (Valid API Key)\n- **Impact**: Cross-Workspace Information Disclosure\n- **Exploit Status**: Proof of Concept available\n\n## Affected Systems\n\n- Flowise <= 3.1.1\n- **Flowise**: <= 3.1.1 (Fixed in: `3.1.2`)\n\n## Mitigation\n\n- Upgrade to a patched version of Flowise (>= 3.1.2)\n- Enable individual password protection on all sensitive chatflows\n- Restrict API access via WAF or reverse proxy filtering\n\n**Remediation Steps:**\n1. Verify the current version of the Flowise deployment.\n2. Update the `flowise` npm package to version 3.1.2 or later.\n3. Restart the Flowise service to apply changes.\n4. Audit all existing chatflows and verify no hardcoded credentials exist within node configurations.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/advisories/GHSA-c2c9-mfw7-p8hw)\n- [Flowise Security Overview](https://github.com/FlowiseAI/Flowise/security)\n- [OSV Database Entry](https://osv.dev/vulnerability/GHSA-c2c9-mfw7-p8hw)\n- [GitLab Advisory Database](https://advisories.gitlab.com/advisories/GHSA-c2c9-mfw7-p8hw)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-C2C9-MFW7-P8HW) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-21T05:40:51.000000Z"} https://vulnerability.circl.lu/sighting/69757276-81d3-4d55-99a5-441bad9a1a34/export Thu, 21 May 2026 05:40:51 +0000