CVE-2026-56270
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter.
Risk Assessment
Remote attackers can send GET requests to harvest sensitive API credentials for Google, Microsoft/Azure, GitHub, and Auth0 integrations, posing a serious security threat to the organization.
Recommendation
It is recommended to upgrade Flowise to version 3.1.0 or later and to secure the /api/v1/loginmethod endpoint from unauthorized access.
Original NVD description (English source)
Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter. Remote attackers can send a GET request to harvest sensitive API credentials for Google, Microsoft/Azure, GitHub, and Auth0 integrations. This affects FlowiseAI Cloud and self-hosted instances where the endpoint is exposed.

