CVE-2026-30820

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13

Description Flowise incorrectly trusts HTTP clients that set the header x-request-from: internal, bypassing authorization checks for all /api/v1/** endpoints. This allows an authenticated tenant session to invoke internal administration endpoints, such as API key management, credential stores, and custom function execution, leading to privilege escalation. The vulnerable code resides in external/Flowise/packages/server/src/index.ts:214, where the application short-circuits authorization based on the presence of the x-request-from: internal header without further validation. This allows a low-privilege tenant, possessing only a browser cookie, to access and manipulate sensitive administrative functions. The API endpoint /api/v1/apikey is specifically mentioned as being accessible with this bypass, allowing the creation of new API keys. Other affected API endpoints include /api/v1/credentials, /api/v1/tools, and /api/v1/node-custom-function. The vulnerable parameter is the x-request-from header.

Recommendations Flowise versions prior to 3.0.13 are vulnerable and should be updated to version 3.0.13 or later.