CVE-2026-46440— Flowise: Basic Auth Credentials Exposed via API
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46440
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Flowise: Basic Auth Credentials Exposed via API
Source: NVD (National Vulnerability Database)
Vulnerability Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的凭证保护机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Flowise 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.1.2之前版本存在安全漏洞,该漏洞源于checkBasicAuth端点以明文验证凭据且无速率限制,可能导致凭据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46440
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46440
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-46440 (1)
Vendor Pages for CVE-2026-46440 (1)
Same Patch Batch · FlowiseAI · 2026-06-08 · 14 CVEs total
| CVE-2026-42862 | Flowise: Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignm | |
| CVE-2026-42861 | Flowise: Mass Assignment in Variable Update Endpoint Allows Cross-Workspace Resource Reass | |
| CVE-2026-42863 | Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reas | |
| CVE-2026-46476 | Flowise: CustomTemplate create+update mass-assignment allows cross-workspace template take | |
| CVE-2026-46479 | Flowise: Evaluation create+update mass-assignment allows cross-workspace evaluation takeov | |
| CVE-2026-46475 | Flowise: Assistant create+update mass-assignment allows cross-workspace assistant takeover | |
| CVE-2026-46444 | Flowise: Vector Store No Permission Checks | |
| CVE-2026-46478 | Flowise: DatasetRow create+update mass-assignment allows cross-workspace row takeover | |
| CVE-2026-46442 | Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox E | |
| CVE-2026-46477 | Flowise: Dataset create+update mass-assignment allows cross-workspace dataset takeover | |
| CVE-2026-46480 | Flowise: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover | |
| CVE-2026-46443 | Flowise: Credential Data Leak | |
| CVE-2026-46441 | Flowise: Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reas |
IV. Related Vulnerabilities
Same product: Flowise
- CVE-2026-46480
Flowise: Evaluator create+update mass-assignment allows cros - CVE-2026-46479
Flowise: Evaluation create+update mass-assignment allows cro - CVE-2026-46478
Flowise: DatasetRow create+update mass-assignment allows cro - CVE-2026-46477
Flowise: Dataset create+update mass-assignment allows cross- - CVE-2026-46476
Flowise: CustomTemplate create+update mass-assignment allows
Same vendor: FlowiseAI
- CVE-2026-46480
Flowise: Evaluator create+update mass-assignment allows cros - CVE-2026-46479
Flowise: Evaluation create+update mass-assignment allows cro - CVE-2026-46478
Flowise: DatasetRow create+update mass-assignment allows cro - CVE-2026-46477
Flowise: Dataset create+update mass-assignment allows cross- - CVE-2026-46476
Flowise: CustomTemplate create+update mass-assignment allows
Same weakness: CWE-522
- CVE-2026-53840
OpenClaw < 2026.5.12 - Custom Header Leakage via MCP Streama - CVE-2026-6517
Mattermost Desktop App fails to restrict the allow list of d - CVE-2026-49949
CodexBar < 0.33.0 Credential Leakage via HTTP Redirect - CVE-2026-41715
Reactor Netty HTTP Client Leaks Credentials On Protocol Down - CVE-2026-39908
OpenBullet2 0.3.2 NTLMv2 Hash Disclosure via UNC Path Proxy
V. Comments for CVE-2026-46440
No comments yet