Primary

Context

Flowise OpenAI Assistants Vector Store Missing Authentication Vulnerability

Vulnerability

Patched

A vulnerability exists in Flowise versions prior to 3.1.2, where all CRUD endpoints for the OpenAI Assistants Vector Store lack authentication middleware. The route '/api/v1/openai-assistants-vector-store' is not included in WHITELIST_URLS and, although it requires API key authentication, it does not enforce any permission checks. This oversight allows any authenticated user to create, modify, delete vector stores, and upload or exfiltrate files, regardless of their assigned permissions.

Impact

The absence of authentication and permission checks on the OpenAI Assistants Vector Store CRUD operations allows any authenticated user to manipulate vector stores and associated files without restriction. This could lead to unauthorized data modification, deletion, or exfiltration.

Remediation

Users can update to Flowise version 3.1.2 or later, where this vulnerability has been patched.

Added: Jun 8, 2026, 4:47 PM

Updated: Jun 8, 2026, 4:47 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

3.1

exploitability

4.9

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

3.1

exploitability

4.9

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Flowise OpenAI Assistants Vector Store Missing Authentication Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Flowise

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating