Multiple Vulnerabilities Discovered in Flowise Affecting User Data and System Security

Severity: High (Score: 72.0)

Sources: Tenable

Summary

On April 20, 2026, Tenable reported multiple vulnerabilities in Flowise, a software platform. The vulnerabilities include an insecure implementation of the Faiss and SimpleStore vector store, which allows authenticated attackers to write data to arbitrary locations on the server filesystem. Another critical issue involves the /api/v1/account/forgot-password endpoint, which exposes full user objects containing personally identifiable information (PII) to unauthenticated attackers. Additionally, the NVIDIA NIM router is improperly whitelisted, permitting unauthenticated access to sensitive container management and token generation endpoints. Users of Flowise are urged to upgrade to version 3.1.0 or later to mitigate these risks. The vulnerabilities affect any organization using Flowise, particularly those handling sensitive user data. The current status indicates that these issues require immediate attention to prevent potential exploitation. Key Points: • Authenticated attackers can exploit filesystem vulnerabilities in Flowise. • Unauthenticated access to sensitive user data is possible via the forgot-password endpoint. • Improper whitelisting of the NVIDIA NIM router allows unauthorized access to critical functions.

Key Entities

• Data Breach (attack_type)
• Flowise (platform)
• Faiss (platform)
• LlamaIndex (platform)
• Nvidia NIM Router (platform)
• SimpleStore (platform)
• Tenable (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-22 - Path Traversal (cwe)
• CWE-287 - Improper Authentication (cwe)