CVE-2026-30824

CRITICAL NUCLEI

Flowise <3.0.13 - Auth Bypass

Title source: llm

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.

Nuclei Templates (1)

Flowise - NVIDIA NIM Endpoints Missing Authentication

HIGHby DhiyaneshDk

Shodan: title:"Flowise"

FOFA: title="Flowise"

References (2)

[Release Notes] https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13

[Vendor Advisory] https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454

Scores

CVSS v3 9.8

EPSS 0.0822

EPSS Percentile 92.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306

Status published

Products (2)

flowiseai/flowise < 3.0.13

npm/flowise 0 - 3.0.13npm

Published Mar 07, 2026

Tracked Since Mar 07, 2026