CVE-2026-56268

HIGH

Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint

Title source: cna
STIX 2.1

Description

Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly query parameter is omitted (the default), the endpoint returns not only the chatflows bound to the supplied API key but also all chatflows across every workspace that have no API key assigned, because the underlying query lacks any workspace filter. An attacker with a valid API key for one workspace can therefore retrieve the full ChatFlow configuration (including flowData with system prompts and node configurations, chatbotConfig, apiConfig, and credential IDs) of unprotected chatflows belonging to other workspaces.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-c2c9-mfw7-p8hw)
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c2c9-mfw7-p8hw
Third Party Advisory third-party-advisory
VulnCheck Advisory: Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint
https://www.vulncheck.com/advisories/flowise-cross-workspace-information-disclosure-via-chatflows-apikey-endpoint

Scores

CVSS v3 7.7
EPSS 0.0028
EPSS Percentile 20.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (4)
Flowise/Flowise < 3.1.2
Flowise/Flowise 3.1.2
flowiseai/flowise < 3.1.2
npm/flowise 0 - 3.1.2npm
Published Jun 22, 2026
Tracked Since Jun 23, 2026