CVE-2026-30823

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13

Description Flowise is a drag & drop user interface to build customized large language model flows. A critical Insecure Direct Object Reference (IDOR) vulnerability, combined with a Business Logic Flaw, exists in the PUT /api/v1/loginmethod endpoint. The endpoint does not validate if the authenticated user has ownership or administrative rights over the target organizationId. This allows a low-privileged user to overwrite the SSO configuration of any organization, enable Enterprise-only features without a license, and perform Account Takeover by redirecting the authentication flow. The backend accepts the organizationId parameter from the JSON body and updates the database record without checking if request.user.organizationId equals body.organizationId. An attacker can send a crafted PUT request to the /api/v1/loginmethod endpoint, modifying the victim's Google SSO configuration by replacing legitimate OAuth credentials with malicious application credentials. This can lead to session hijacking or credential theft when victim employees attempt to log in via SSO.

Recommendations Versions prior to 3.0.13 should be updated to version 3.0.13 or later.