GHSA-HMG2-JJJX-JCP2

Vulnerability from github – Published: 2026-05-14 16:19 – Updated: 2026-06-11 14:08
VLAI
Summary
FlowiseAI: Vector Store No Permission Checks
Details

FINDING 4: OpenAI Assistants Vector Store - No Auth on CRUD Operations

Severity: HIGH (CVSS ~8.1) Type: CWE-306 (Missing Authentication for Critical Function) File: packages/server/src/routes/openai-assistants-vector-store/index.ts

Description: ALL CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware AND the route path /api/v1/openai-assistants-vector-store is NOT in WHITELIST_URLS. However, it is also NOT protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but NO permission checks exist on any operation.

The real issue is that the routes have no checkAnyPermission() middleware, meaning any authenticated user regardless of role can: - Create vector stores - Upload files to vector stores - Delete vector stores and files - Modify any vector store

Evidence:

// No permission middleware on any route
router.post('/', controller.createAssistantVectorStore)          // No permission check
router.put(['/', '/:id'], controller.updateAssistantVectorStore) // No permission check
router.delete(['/', '/:id'], controller.deleteAssistantVectorStore) // No permission check
router.post('/:id', getMulterStorage().array('files'), controller.uploadFilesToAssistantVectorStore) // No permission check

Impact: Any authenticated user can manipulate OpenAI vector stores, upload malicious files, delete data, or exfiltrate stored documents regardless of their assigned permissions.

Severity
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T16:19:23Z",
    "nvd_published_at": "2026-06-08T16:16:41Z",
    "severity": "HIGH"
  },
  "details": "### FINDING 4: OpenAI Assistants Vector Store - No Auth on CRUD Operations\n**Severity**: HIGH (CVSS ~8.1)\n**Type**: CWE-306 (Missing Authentication for Critical Function)\n**File**: `packages/server/src/routes/openai-assistants-vector-store/index.ts`\n\n**Description**: ALL CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware AND the route path `/api/v1/openai-assistants-vector-store` is NOT in `WHITELIST_URLS`. However, it is also NOT protected by the main auth middleware when accessed via API key \u2014 the route requires API key auth (not whitelisted), but NO permission checks exist on any operation.\n\nThe real issue is that the routes have no `checkAnyPermission()` middleware, meaning any authenticated user regardless of role can:\n- Create vector stores\n- Upload files to vector stores\n- Delete vector stores and files\n- Modify any vector store\n\n**Evidence**:\n```typescript\n// No permission middleware on any route\nrouter.post(\u0027/\u0027, controller.createAssistantVectorStore)          // No permission check\nrouter.put([\u0027/\u0027, \u0027/:id\u0027], controller.updateAssistantVectorStore) // No permission check\nrouter.delete([\u0027/\u0027, \u0027/:id\u0027], controller.deleteAssistantVectorStore) // No permission check\nrouter.post(\u0027/:id\u0027, getMulterStorage().array(\u0027files\u0027), controller.uploadFilesToAssistantVectorStore) // No permission check\n```\n\n**Impact**: Any authenticated user can manipulate OpenAI vector stores, upload malicious files, delete data, or exfiltrate stored documents regardless of their assigned permissions.",
  "id": "GHSA-hmg2-jjjx-jcp2",
  "modified": "2026-06-11T14:08:34Z",
  "published": "2026-05-14T16:19:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hmg2-jjjx-jcp2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46444"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FlowiseAI: Vector Store No Permission Checks"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.