PT-2026-55224 · Drupal+1 · Flowdrop+1
Aincient Labs
+5
·
Published
2026-07-01
·
Updated
2026-07-10
·
CVE-2026-58589
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
FlowDrop versions 0.0.0 through 1.6.0
Description
A missing authorization issue allows forceful browsing. The module, which enables testing and running AI-driven workflows via a chat interface, fails to sufficiently enforce permissions on certain endpoints. This may allow attackers to trigger workflow execution, resulting in LLM (Large Language Model) costs and tool side effects, or enable them to send messages into sessions belonging to other users. This issue is mitigated if the attacker does not possess the "View any session" permission, which is not granted to anonymous or authenticated users by default.
Recommendations
Update FlowDrop to a version later than 1.6.0.
Restrict the "View any session" permission to prevent unauthorized users from accessing the affected endpoints.
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flowdrop
Drupal/Flowdrop