CVE-2026-46440

Detection Method: Kolega.dev Deep Code Scan

The checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison.

public async checkBasicAuth(req: Request, res: Response) {
  const { username, password } = req.body
  if (username === process.env.FLOWISE USERNAME && password === process.env.FLOWISE PASSWORD) {
    return res.json({ message: 'Authentication successful' })

Credentials are sent in plaintext in request body and compared directly without hashing. No rate limiting prevents brute force attacks. The endpoint returns different messages for success/failure, enabling enumeration.

Credential brute-forcing - attackers can attempt unlimited username/password combinations against the basic auth system. Successful attacks grant access to the application.

The checkBasicAuth endpoint at line 128-135 has multiple security issues: (1) No rate limiting - the RateLimiterManager only applies to chatflow-specific endpoints, not auth endpoints. Attackers can perform unlimited brute force attempts. (2) Uses JavaScript === operator for comparison which is not constant-time, potentially enabling timing attacks. (3) Returns different messages for success ('Authentication successful') vs failure ('Authentication failed'), enabling credential enumeration. The endpoint compares plaintext credentials against environment variables FLOWISE USERNAME and FLOWISE PASSWORD. While this is basic auth for simpler deployments, the lack of rate limiting makes it actively exploitable for credential brute-forcing.