Multiple Vulnerabilities Discovered in Flowise Affecting User Data and System Security

Multiple Vulnerabilities Discovered in Flowise Affecting User Data and System Security

First seen 20 Apr 2026, 15:28 UTC Tenable 82% similarity 72.0

Article Content

Browse articles
ThreatCluster

On April 20, 2026, Tenable reported multiple vulnerabilities in Flowise, a software platform. The vulnerabilities include an insecure implementation of the Faiss and SimpleStore vector store, which allows authenticated attackers to write data to arbitrary locations on the server filesystem. Another critical issue involves the /api/v1/account/forgot-password endpoint, which exposes full user objects containing personally identifiable information (PII) to unauthenticated attackers. Additionally, the NVIDIA NIM router is improperly whitelisted, permitting unauthenticated access to sensitive container management and token generation endpoints. Users of Flowise are urged to upgrade to version 3.1.0 or later to mitigate these risks. The vulnerabilities affect any organization using Flowise, particularly those handling sensitive user data. The current status indicates that these issues require immediate attention to prevent potential exploitation.

Key Points: • Authenticated attackers can exploit filesystem vulnerabilities in Flowise. • Unauthenticated access to sensitive user data is possible via the forgot-password endpoint. • Improper whitelisting of the NVIDIA NIM router allows unauthorized access to critical functions.

ThreatCluster AI

Timeline

2026-04-20
Tenable reports multiple vulnerabilities in Flowise
2026-04-20
Users advised to upgrade to Flowise version 3.1.0 or later

Community

Browse all →