Primary

Context

Flowise Basic Authentication Vulnerability Allowing Credential Exposure and Brute-Force Attacks

Vulnerability

Patched

A vulnerability in Flowise's checkBasicAuth endpoint prior to version 3.1.2 allows for plaintext credential validation without rate limiting, using direct comparison. This lack of rate limiting enables brute-force attacks on the authentication system. The endpoint returns distinct messages for successful and failed authentication attempts, facilitating credential enumeration. The vulnerability has been patched in version 3.1.2.

Impact

The vulnerability allows attackers to perform unlimited brute-force attempts on usernames and passwords, potentially gaining unauthorized access to the application.

Remediation

Users can update to Flowise version 3.1.2 to address this vulnerability.

Added: Jun 8, 2026, 4:56 PM

Updated: Jun 8, 2026, 4:56 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

6.3

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

6.3

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Flowise Basic Authentication Vulnerability Allowing Credential Exposure and Brute-Force Attacks

Vulnerability

Impact

Remediation

Affected Products

Flowise

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating