GHSA-PHP6-83FG-GW3G

Vulnerability from github – Published: 2026-05-14 14:54 – Updated: 2026-06-09 13:10
VLAI
Summary
FlowiseAI Exposes Basic Auth Credentials via API
Details

Detection Method: Kolega.dev Deep Code Scan

Attribute Value
Severity Medium
CWE CWE-522 (Insufficiently Protected Credentials)
Location packages/server/src/enterprise/controllers/account.controller.ts:128-135
Practical Exploitability Medium
Developer Approver faizan@kolega.ai

Description

The checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison.

Affected Code

public async checkBasicAuth(req: Request, res: Response) {
    const { username, password } = req.body
    if (username === process.env.FLOWISE_USERNAME && password === process.env.FLOWISE_PASSWORD) {
        return res.json({ message: 'Authentication successful' })

Evidence

Credentials are sent in plaintext in request body and compared directly without hashing. No rate limiting prevents brute force attacks. The endpoint returns different messages for success/failure, enabling enumeration.

Impact

Credential brute-forcing - attackers can attempt unlimited username/password combinations against the basic auth system. Successful attacks grant access to the application.

Recommendation

1) Implement rate limiting on this endpoint, 2) Use constant-time comparison to prevent timing attacks, 3) Consider using hashed comparison, 4) Return generic error messages, 5) Add logging for failed attempts.

Notes

The checkBasicAuth endpoint at line 128-135 has multiple security issues: (1) No rate limiting - the RateLimiterManager only applies to chatflow-specific endpoints, not auth endpoints. Attackers can perform unlimited brute force attempts. (2) Uses JavaScript === operator for comparison which is not constant-time, potentially enabling timing attacks. (3) Returns different messages for success ('Authentication successful') vs failure ('Authentication failed'), enabling credential enumeration. The endpoint compares plaintext credentials against environment variables FLOWISE_USERNAME and FLOWISE_PASSWORD. While this is basic auth for simpler deployments, the lack of rate limiting makes it actively exploitable for credential brute-forcing.

Severity
7.5 (High)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T14:54:46Z",
    "nvd_published_at": "2026-06-08T16:16:41Z",
    "severity": "HIGH"
  },
  "details": "**Detection Method:** Kolega.dev Deep Code Scan\n\n| Attribute | Value |\n|---|---|\n| Severity | Medium |\n| CWE | CWE-522 (Insufficiently Protected Credentials) |\n| Location | packages/server/src/enterprise/controllers/account.controller.ts:128-135 |\n| Practical Exploitability | Medium |\n| Developer Approver | faizan@kolega.ai |\n\n### Description\nThe checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison.\n\n### Affected Code\n```\npublic async checkBasicAuth(req: Request, res: Response) {\n    const { username, password } = req.body\n    if (username === process.env.FLOWISE_USERNAME \u0026\u0026 password === process.env.FLOWISE_PASSWORD) {\n        return res.json({ message: \u0027Authentication successful\u0027 })\n```\n\n### Evidence\nCredentials are sent in plaintext in request body and compared directly without hashing. No rate limiting prevents brute force attacks. The endpoint returns different messages for success/failure, enabling enumeration.\n\n### Impact\nCredential brute-forcing - attackers can attempt unlimited username/password combinations against the basic auth system. Successful attacks grant access to the application.\n\n### Recommendation\n1) Implement rate limiting on this endpoint, 2) Use constant-time comparison to prevent timing attacks, 3) Consider using hashed comparison, 4) Return generic error messages, 5) Add logging for failed attempts.\n\n### Notes\nThe checkBasicAuth endpoint at line 128-135 has multiple security issues: (1) No rate limiting - the RateLimiterManager only applies to chatflow-specific endpoints, not auth endpoints. Attackers can perform unlimited brute force attempts. (2) Uses JavaScript === operator for comparison which is not constant-time, potentially enabling timing attacks. (3) Returns different messages for success (\u0027Authentication successful\u0027) vs failure (\u0027Authentication failed\u0027), enabling credential enumeration. The endpoint compares plaintext credentials against environment variables FLOWISE_USERNAME and FLOWISE_PASSWORD. While this is basic auth for simpler deployments, the lack of rate limiting makes it actively exploitable for credential brute-forcing.",
  "id": "GHSA-php6-83fg-gw3g",
  "modified": "2026-06-09T13:10:09Z",
  "published": "2026-05-14T14:54:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-php6-83fg-gw3g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46440"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FlowiseAI Exposes Basic Auth Credentials via API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.