N3Mes1S

**Name of the Vulnerable Software and Affected Versions** Flowise versions prior to 3.0.13 **Description** Flowise incorrectly trusts HTTP clients that set the header `x-request-from: internal`, bypassing authorization checks for all `/api/v1/**` endpoints. This allows an authenticated tenant session to invoke internal administration endpoints, such as API key management, credential stores, and custom function execution, leading to privilege escalation. The vulnerable code resides in `external/Flowise/packages/server/src/index.ts:214`, where the application short-circuits authorization based on the presence of the `x-request-from: internal` header without further validation. This allows a low-privilege tenant, possessing only a browser cookie, to access and manipulate sensitive administrative functions. The **API endpoint** `/api/v1/apikey` is specifically mentioned as being accessible with this bypass, allowing the creation of new API keys. Other affected **API endpoints** include `/api/v1/credentials`, `/api/v1/tools`, and `/api/v1/node-custom-function`. The vulnerable parameter is the `x-request-from` header. **Recommendations** Flowise versions prior to 3.0.13 are vulnerable and should be updated to version 3.0.13 or later.