PT-2026-34747 · Flowise · Flowise
Published
2026-04-17
·
Updated
2026-04-23
·
CVE-2026-41279
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Flowise versions prior to 3.1.0
Description
The text-to-speech generation endpoint 'POST /api/v1/text-to-speech/generate' is whitelisted and does not require authentication. It accepts a
credentialId directly in the request body. When the endpoint is called without a chatflowId, it uses the provided credentialId to decrypt stored credentials, such as OpenAI or ElevenLabs API keys, to generate speech.Recommendations
Update to version 3.1.0.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flowise