CVE-2026-46443

CVSS v4.0

7.0

High

Vector

AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Severity: HIGH (CVSS ~7.5) Type: CWE-200 (Exposure of Sensitive Information) File: packages/server/src/services/credentials/index.ts:62-71

Description: When credentials are fetched with a credentialName filter parameter, the encryptedData field is NOT stripped from the response. The code properly omits encryptedData when NO filter is used (line 102) but fails to do so when a filter IS used (lines 62-63, 70-71). Credential Data Leak Evidence:

// Lines 62-63: WITH filter - encryptedData LEAKED
const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)
dbResponse.push(...credentials) // encryptedData NOT removed!

// Lines 100-102: WITHOUT filter - encryptedData properly omitted
for (const credential of credentials) {
  dbResponse.push(omit(credential, ['encryptedData'])) // Correctly omitted
}

Impact: Authenticated users can extract encrypted credential data (API keys, passwords, tokens for services like OpenAI, AWS, etc.). Combined with access to the encryption key file (~/.flowise/encryption.key written with default permissions), this enables full credential theft.

Reproduction:

curl https://TARGET/api/v1/credentials?credentialName=openAIApi 
 -H "Authorization: Bearer API KEY"
# Response includes encryptedData field with AES-encrypted credentials

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2026-46443

GHSA-7G73-99R4-M4MJ

Affected Products

Flowise

CVE-2026-46443

Weakness Enumeration

Related Identifiers

Affected Products

References · 4