CVE-2026-56268
HIGHFlowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint
Title source: cnaDescription
Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly query parameter is omitted (the default), the endpoint returns not only the chatflows bound to the supplied API key but also all chatflows across every workspace that have no API key assigned, because the underlying query lacks any workspace filter. An attacker with a valid API key for one workspace can therefore retrieve the full ChatFlow configuration (including flowData with system prompts and node configurations, chatbotConfig, apiConfig, and credential IDs) of unprotected chatflows belonging to other workspaces.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-c2c9-mfw7-p8hw)
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c2c9-mfw7-p8hw
Third Party Advisory third-party-advisory
VulnCheck Advisory: Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint
https://www.vulncheck.com/advisories/flowise-cross-workspace-information-disclosure-via-chatflows-apikey-endpoint
Scores
CVSS v3
7.7
EPSS
0.0028
EPSS Percentile
20.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (4)
Flowise/Flowise
< 3.1.2
Flowise/Flowise
3.1.2
flowiseai/flowise
< 3.1.2
npm/flowise
0 - 3.1.2npm
Published
Jun 22, 2026
Tracked Since
Jun 23, 2026