PT-2026-45133 — Npm Flowise

PT-2026-45133 · Npm · Flowise

Published

2026-05-20

Updated

2026-05-20

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

The TTS generation endpoint sets Access-Control-Allow-Origin: * as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials.

Root Cause

typescript

// packages/server/src/controllers/text-to-speech/index.ts:83
res.setHeader('Access-Control-Allow-Origin', '*')
res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')

Impact

Cross-origin credential abuse — any webpage can trigger TTS using stored credentials
Bypasses the server's CORS policy (getCorsOptions()) which is otherwise restrictive by default
Combined with Finding 3 (TTS credential abuse), enables drive-by credential abuse via malicious webpages

Suggested Fix

Remove the hardcoded CORS wildcard and let the server's CORS middleware handle the headers:

typescript

// Remove these lines:
// res.setHeader('Access-Control-Allow-Origin', '*')
// res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')

References

packages/server/src/controllers/text-to-speech/index.ts line 83

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-942

Related Identifiers

GHSA-M837-XVXR-VQWG

Affected Products

Flowise