CVE-2026-56270
Flowise Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-56270 is a missing authentication vulnerability in FlowiseAI's Flowise platform affecting the /api/v1/loginmethod endpoint. It allows unauthenticated remote attackers to retrieve an organization's complete SSO configuration — including OAuth client secrets in cleartext — by supplying only an organizationId parameter in a GET request. All versions up to and including 3.0.13 are affected; version 3.1.0 contains the fix. The vulnerability carries a CVSS v3.1 score of 7.5 (High) and a CVSS v4.0 score of 8.7 (High) (GitHub Advisory, Feedly).

Détails techniques

The root cause is CWE-306 (Missing Authentication for Critical Function) combined with CWE-312 (Cleartext Storage of Sensitive Information): the /api/v1/loginmethod endpoint performs no authentication check before returning the full SSO provider configuration for a given organization. An attacker sends a simple unauthenticated HTTP GET request with an organizationId query parameter, and the server responds with a 200 OK containing OAuth client IDs and client secrets in plaintext JSON for all configured providers (Google, Microsoft/Azure, GitHub, Auth0). No session cookies, tokens, or authorization headers are required, making the attack trivially automatable (GitHub Advisory).

Impact

Successful exploitation results in full disclosure of an organization's OAuth client secrets for integrated SSO providers including Google, Microsoft/Azure, GitHub, and Auth0. An attacker in possession of these credentials could impersonate the application in OAuth flows, potentially gaining unauthorized access to user accounts, performing account takeover, or pivoting into connected third-party services. Both FlowiseAI Cloud (cloud.flowiseai.com) and self-hosted Flowise instances with the endpoint exposed to the internet are affected (GitHub Advisory, Feedly).

Étapes d’exploitation

  1. Reconnaissance: Identify exposed Flowise instances (cloud or self-hosted) running versions ≤ 3.0.13 using tools like Shodan, Censys, or by browsing to known cloud endpoints such as cloud.flowiseai.com.
  2. Enumerate organization IDs: Obtain or enumerate valid organizationId values. These may be discoverable through other unauthenticated endpoints, public documentation, or by observing network traffic from a legitimate Flowise login page.
  3. Send unauthenticated GET request: Issue the following request with no authentication headers:
GET /api/v1/loginmethod?organizationId=<target_organization_id> HTTP/2
Host: <flowise-instance>
Accept: application/json
  1. Harvest OAuth secrets: Parse the JSON response, which returns cleartext clientID and clientSecret values for all configured SSO providers (Google, Azure, GitHub, Auth0).
  2. Abuse harvested credentials: Use the stolen OAuth client secrets to impersonate the Flowise application in OAuth authorization flows, potentially enabling account takeover or unauthorized access to integrated services (GitHub Advisory).

Indicateurs de compromis

  • Network: Unauthenticated GET requests to /api/v1/loginmethod with an organizationId query parameter originating from unexpected or external IP addresses; high-frequency or scripted requests to this endpoint suggesting automated enumeration.
  • Logs: Web server or application access logs showing GET /api/v1/loginmethod?organizationId= requests returning HTTP 200 responses without any associated session token or Authorization header; requests from IPs not associated with known users or services.
  • Downstream Activity: Unexpected OAuth token issuances or login events in Google Workspace, Azure AD, GitHub, or Auth0 audit logs using the application's client credentials from unfamiliar IP addresses or user agents (GitHub Advisory).

Atténuation et solutions de contournement

Upgrade Flowise to version 3.1.0 or later, which patches the missing authentication on the /api/v1/loginmethod endpoint. Organizations unable to patch immediately should restrict network access to this endpoint via firewall rules or reverse proxy ACLs, limiting it to trusted IP ranges only. Additionally, all OAuth client secrets for integrated providers (Google, Microsoft/Azure, GitHub, Auth0) should be rotated immediately, as any previously exposed secrets must be considered compromised (GitHub Advisory, Feedly).

Réactions de la communauté

The vulnerability was reported by security researcher berkdedekarginoglu and published as a GitHub Security Advisory by igor-magun-wd on April 15, 2026. VulnCheck independently documented the issue and assigned it a CVSS v4.0 score of 8.7. Tenable added detection coverage via cloud security and container security plugins. Social media activity was limited, with a brief mention on Bluesky shortly after disclosure (GitHub Advisory, VulnCheck Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Flowise Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-56278CRITICAL9.3
  • Flowise logoFlowise
  • flowise
NonOuiJun 30, 2026
CVE-2026-56270HIGH8.7
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026
CVE-2025-71332HIGH8.5
  • Flowise logoFlowise
  • flowise
NonNonJun 24, 2026
CVE-2026-56272MEDIUM5.6
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026
CVE-2026-56269MEDIUM4.3
  • Flowise logoFlowise
  • flowise
NonOuiJun 24, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités