PT-2026-41209 · Flowiseai+1 · Flowise
Published
2026-05-14
·
Updated
2026-06-11
·
CVE-2026-46444
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Flowise versions prior to 3.1.2
Description
All CRUD endpoints for the OpenAI Assistants Vector Store lack authentication middleware and permission checks. Specifically, the route path "/api/v1/openai-assistants-vector-store" is not included in
WHITELIST URLS and is not protected by the main authentication middleware when accessed via API key. Because the checkAnyPermission() function is missing, any authenticated user, regardless of their assigned role, can perform operations such as creating, modifying, and deleting vector stores and files, as well as uploading files to vector stores.Recommendations
Update to version 3.1.2.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flowise