PT-2026-35599 · Npm · Flowise
Published
2026-04-17
·
Updated
2026-04-17
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Summary
The text-to-speech generation endpoint (
POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech.Root Cause
typescript
// packages/server/src/controllers/text-to-speech/index.ts:58-64
} else {
// Use TTS config from request body
provider = bodyProvider
credentialId = bodyCredentialId // ← attacker-controlled credential ID
voice = bodyVoice
model = bodyModel
}Docker Validation
POST /api/v1/text-to-speech/generate with arbitrary credentialId in body: endpoint processes request, sends SSE tts start event, only fails when credential doesn't exist — proves code path runs without authentication.Impact
- Use victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization
- Burn API credits on the victim's account
- Generate unlimited speech content at victim's expense
- Combined with credential ID leak from Finding 2, this is trivially exploitable
Suggested Fix
Remove the TTS endpoint from
WHITELIST URLS or validate that the credential belongs to the chatflow being used:typescript
// Only allow credentialId when it matches the chatflow's TTS configuration
if (!chatflowId) {
return res.status(401).json({ message: 'Authentication required' })
}References
packages/server/src/controllers/text-to-speech/index.tslines 10-162packages/server/src/utils/constants.tsline 41 (whitelist entry)
Credits
- Shinobi Security - https://github.com/shinobisecurity
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flowise