HIGH 8.8

CVE-2026-46444: Flowise OpenAI Vector Store Authentication Bypass (CVSS 8.8)

Flowise versions prior to 3.1.2 contain a critical authentication flaw in the OpenAI Assistants Vector Store endpoints. Any authenticated user with a valid API key can perform unrestricted create, read, update, and delete operations on vector store data without additional permission checks. This means a low-privileged user or compromised API key can manipulate vector stores that should only be accessible to specific users or administrative roles.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-862
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper access control on the /api/v1/openai-assistants-vector-store endpoint family. While the route requires API key authentication and is not in the WHITELIST_URLS, it lacks granular permission validation for individual CRUD operations. The route is protected by the API key requirement but contains no authorization logic to enforce role-based or ownership-based access controls. This allows any authenticated API consumer to read sensitive vector store configurations, modify them, or delete them entirely. The CWE-862 classification (Missing Authorization) accurately reflects this gap between authentication and authorization.

Business impact

Organizations using Flowise to build LLM applications face exposure of proprietary vector store data, including embeddings and knowledge base content that may contain sensitive information. Attackers with valid credentials—whether stolen, leaked, or obtained through social engineering—can poison vector stores with malicious data, degrade model performance, or exfiltrate training data. For SaaS operators offering Flowise-based services, this enables cross-tenant data leakage if multiple customers share infrastructure. The impact extends to supply chain risk if vector stores feed production LLM pipelines.

Affected systems

All Flowise deployments running versions before 3.1.2 are affected. This includes self-hosted instances and any downstream applications or forks based on vulnerable Flowise versions. Organizations using Flowise to manage AI vector stores for retrieval-augmented generation (RAG) workflows are at highest risk. The vulnerability is version-specific; patching to 3.1.2 or later eliminates the exposure.

Exploitability

Exploitation requires valid API key credentials but no special network position. An insider, contractor, or user whose API key has been compromised can immediately abuse this endpoint. The attack surface is network-accessible without authentication bypass complexity. CVSS score of 8.8 (HIGH) reflects the combination of network accessibility, authenticated access only, and high confidentiality/integrity/availability impact. The low barrier to exploitation—no special tooling, no complex race conditions, straightforward HTTP requests—makes this a practical risk even for moderately skilled attackers.

Remediation

Upgrade Flowise to version 3.1.2 or later immediately. The patch introduces proper authorization middleware for the OpenAI Assistants Vector Store endpoints, ensuring that only authorized users can perform CRUD operations. If immediate patching is not possible, restrict API key issuance to highly trusted accounts, rotate compromised keys, implement network-level access controls to limit who can reach the /api/v1/openai-assistants-vector-store endpoints, and monitor vector store activity for suspicious modifications.

Patch guidance

Version 3.1.2 contains the fix. Review your Flowise deployment version via the admin interface or by checking package.json in your installation. Upgrade using your standard deployment method (Docker, npm, source build). After patching, verify that vector store endpoints now enforce proper authorization by testing with multiple user roles. If running a production SaaS deployment, stage the upgrade in a non-production environment first and test API key-based access patterns before rolling to production.

Detection guidance

Monitor API logs for repeated requests to /api/v1/openai-assistants-vector-store endpoints, particularly from API keys that should not have access to vector stores. Look for DELETE or PATCH operations on endpoints that typically should be read-only. Correlate vector store modification timestamps with authentication logs to identify unauthorized changes. Search for patterns of cross-user vector store access—if User A's API key is accessing User B's vector store, that is suspicious. If you have vector store backups, compare current configurations to historical snapshots to detect tampering.

Why prioritize this

This is a HIGH priority patch. The vulnerability sits at the intersection of easily exploitable (API key auth, no complex preconditions), high impact (confidentiality, integrity, and availability of sensitive data), and broad applicability across all Flowise versions before 3.1.2. Organizations actively using Flowise for production RAG pipelines or multi-tenant SaaS should patch within 1-2 weeks. If your Flowise deployment manages non-public vector stores or proprietary embeddings, prioritize even more urgently.

Risk score, explained

The CVSS 8.8 score reflects: (1) Network-accessible endpoint (AV:N), (2) Straightforward exploitation requiring only valid credentials already in hand (AC:L, PR:L), (3) No user interaction required (UI:N), (4) Impact limited to a single system/component (S:U), but (5) complete compromise of confidentiality, integrity, and availability of vector store data (C:H, I:H, A:H). The requirement for prior authentication (PR:L) prevents a theoretical 9.x score, but the severity remains in the HIGH band due to the breadth of impact once authenticated.

Frequently asked questions

Do I need a valid Flowise API key to exploit this?

Yes. The endpoint requires API key authentication, so an attacker must possess a legitimate API key—either by social engineering a user, compromising credentials, or being an insider with access. This is a meaningful barrier but not a strong one if API keys are shared, stored in plaintext, or issued too broadly.

Does this affect vector stores that are not connected to OpenAI?

No. The vulnerability is specific to the /api/v1/openai-assistants-vector-store endpoint used for OpenAI's vector store integration. Other vector store implementations (Pinecone, Weaviate, etc.) are not directly affected by this flaw, though you should verify your Flowise version against the patched release regardless.

If I restrict API key access via network-level controls, is it safe to run an unpatched version?

Network restrictions reduce exposure significantly but do not eliminate risk from internal threats, compromised credentials, or misconfigurations. Patching is the proper remediation; network controls are a temporary compensating measure only while you plan your upgrade.

Will upgrading to 3.1.2 break my existing integrations?

The patch adds authorization enforcement but does not change the API contract or endpoint structure. Existing integrations using the correct user/role context should continue working. However, if your workflows relied on cross-user access via overprivileged API keys, those patterns will now fail and require architectural adjustment.

This analysis is provided for informational purposes by SEC.co and does not constitute professional security advice, legal counsel, or a guarantee of remediation effectiveness. Verify all patch version numbers, CVE details, and affected product lists against the official Flowise GitHub repository and vendor advisories before taking action. Testing of patches should occur in non-production environments first. Your organization's security posture, threat model, and risk tolerance are unique; adjust prioritization and remediation timelines accordingly. SEC.co assumes no liability for decisions made based on this intelligence. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).