CVE 8.7 HIGH

Flowise: Vector Store No Permission Checks_CVE-2026-46444

June 8, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2.

AI Analysis

Unauthenticated access to CRUD endpoints for OpenAI Assistants Vector Store due to missing authentication middleware and lack of permission checks.

Basic Information

ID CVE-2026-46444

Source GitHub_M

Published Jun 8, 2026 at 15:25

Modified Jun 8, 2026 at 15:54

Affected Product

Vendor FlowiseAI

Product Flowise

Version < 3.1.2

Affected Versions FlowiseAI Flowise < 3.1.2

CWE Classification

CWE-862

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor FlowiseAI

Product Flowise

Version < 3.1.2

References

{
    "lastseen": "",
    "description": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key \u2014 the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2.",
    "published": "2026-06-08T15:25:24.883Z",
    "modified": "2026-06-08T15:54:18.205Z",
    "type": "cve",
    "title": "Flowise: Vector Store No Permission Checks",
    "source": "GitHub_M",
    "references": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hmg2-jjjx-jcp2\nhttps://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2",
    "id": "CVE-2026-46444",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "FlowiseAI Flowise < 3.1.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Flowise",
    "version": "< 3.1.2",
    "vendor": "FlowiseAI",
    "ai_description": "Unauthenticated access to CRUD endpoints for OpenAI Assistants Vector Store due to missing authentication middleware and lack of permission checks.",
    "ai_severity": "High",
    "ai_vendor": "FlowiseAI",
    "ai_product": "Flowise",
    "ai_version": "< 3.1.2",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply