Main Vulnerability Database Vulnerabilities #VU125527

#VU125527 Missing Authentication for Critical Function in Flowise - CVE-2026-30824

Published: April 9, 2026

Vulnerability identifier: #VU125527

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-30824

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Flowise

Software vendor:
FlowiseAI

Description

The vulnerability allows a remote attacker to disclose sensitive information in a subsequent system.

The vulnerability exists due to missing authentication for critical function in the NVIDIA NIM endpoints when handling requests to /api/v1/nvidia-nim/*. A remote attacker can send crafted requests to obtain a valid NVIDIA API token and disclose sensitive information in a subsequent system.

On systems with Docker or NIM installed, additional unauthenticated endpoint access may allow container enumeration, image pulls, container starts, or service disruption.

Remediation

Install security update from vendor's website.

External links

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454

#VU125527 Missing Authentication for Critical Function in Flowise - CVE-2026-30824

Description

Remediation

External links

Please verify you're human