CVE-2026-46440
published 2026-06-08CVE-2026-46440: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates…
PriorityP354critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.25%
16.3th percentile
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | < 3.1.2 | 3.1.2 |
| flowiseai | flowise | >= 0 < 3.1.2 | 3.1.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FlowiseAI Flowise up to 3.1.1 checkBasicAuth Endpoint insufficiently protected credentials
vuldb·2026-06-08·CVSS 7.5
CVE-2026-46440 [HIGH] FlowiseAI Flowise up to 3.1.1 checkBasicAuth Endpoint insufficiently protected credentials
A vulnerability described as problematic has been identified in FlowiseAI Flowise up to 3.1.1. Impacted is an unknown function of the component checkBasicAuth Endpoint. Executing a manipulation can lead to insufficiently protected credentials.
This vulnerability is registered as CVE-2026-46440. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
GHSA
FlowiseAI Exposes Basic Auth Credentials via API
ghsa·2026-05-14
CVE-2026-46440 [HIGH] CWE-522 FlowiseAI Exposes Basic Auth Credentials via API
FlowiseAI Exposes Basic Auth Credentials via API
**Detection Method:** Kolega.dev Deep Code Scan
| Attribute | Value |
|---|---|
| Severity | Medium |
| CWE | CWE-522 (Insufficiently Protected Credentials) |
| Location | packages/server/src/enterprise/controllers/account.controller.ts:128-135 |
| Practical Exploitability | Medium |
| Developer Approver | [email protected] |
### Description
The checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison.
### Affected Code
```
public async checkBasicAuth(req: Request, res: Response) {
const { username, password } = req.body
if (username === process.env.FLOWISE_USERNAME && password === process.env.FLOWISE_PASSWORD) {
return res.json({ message: 'Authentication successful' })
```
### Evidence
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published