Primary

Context

Flowise Unsanitized Data Exposure Vulnerability in Public Chatflow Endpoints

Vulnerability

Patched

A vulnerability in Flowise prior to version 3.1.0 allows the GET /api/v1/public-chatflows/:id endpoint to return the full chatflow object for public chatflows without proper sanitization. This issue is more severe than initially assessed, as the released v3.0.13 Docker image lacks the necessary sanitization function. Both the public-chatflows and public-chatbotConfig endpoints expose raw flowData, including sensitive information such as credential IDs, plaintext API keys, and password-type fields.

Impact

The vulnerability leads to the unintentional disclosure of sensitive information, including credential IDs, which could facilitate OAuth2 token theft, plaintext API keys and passwords that could be used for direct third-party account compromise, and node configurations that reveal internal architecture and endpoint URLs.

Remediation

Users can update to Flowise version 3.1.0 or later, where this vulnerability has been fixed.

Added: Apr 23, 2026, 9:14 PM

Updated: Apr 23, 2026, 9:14 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

7.8

remediation

7.7

relevance

6.2

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

7.8

remediation

7.7

relevance

6.2

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Flowise Unsanitized Data Exposure Vulnerability in Public Chatflow Endpoints

Vulnerability

Impact

Remediation

Affected Products

Flowise

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating