CVE-2026-30824

CRITICAL NUCLEI

Flowise < 3.0.13 - Unauthenticated Privileged Endpoint Access via NVIDIA NIM Router Whitelist

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-30824. PoCs published by dylvie. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2026-30824, an authentication bypass vulnerability in Flowise NVIDIA NIM. The exploit demonstrates unauthenticated access to critical endpoints, including token leakage and container management.

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.

Exploits (1)

github WORKING POC

by dylvie · pythonpoc

https://github.com/dylvie/CVE-2026-30824-Flowise-NVIDIA-NIM-Authentication

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2026-30824, an authentication bypass vulnerability in Flowise NVIDIA NIM. The exploit demonstrates unauthenticated access to critical endpoints, including token leakage and container management.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Flowise < 3.0.13

No auth needed

Prerequisites: Network access to the target Flowise instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 29, 2026 Full analysis →

Nuclei Templates (1)

Flowise - NVIDIA NIM Endpoints Missing Authentication

HIGHby DhiyaneshDk

Shodan: title:"Flowise"

FOFA: title="Flowise"

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454

Release Notes x_refsource_misc

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13

Scores

CVSS v3 9.8

EPSS 0.2159

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (2)

flowiseai/flowise < 3.0.13

npm/flowise 0 - 3.0.13npm

Published Mar 07, 2026

Tracked Since Mar 07, 2026