CVE-2026-46443
published 2026-06-08CVE-2026-46443: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.27%
18.6th percentile
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is used but fails to do so when a filter is used. This issue has been patched in version 3.1.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | < 3.1.2 | 3.1.2 |
| flowiseai | flowise | >= 0 < 3.1.2 | 3.1.2 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.0HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FlowiseAI Flowise up to 3.1.1 encryptedData information disclosure
vuldb·2026-06-08·CVSS 7.0
CVE-2026-46443 [HIGH] FlowiseAI Flowise up to 3.1.1 encryptedData information disclosure
A vulnerability classified as problematic was found in FlowiseAI Flowise up to 3.1.1. The impacted element is an unknown function. The manipulation of the argument encryptedData results in information disclosure.
This vulnerability is reported as CVE-2026-46443. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
GHSA
FlowiseAI Vulnerable to Credential Data Leak
ghsa·2026-05-14
CVE-2026-46443 [HIGH] CWE-200 FlowiseAI Vulnerable to Credential Data Leak
FlowiseAI Vulnerable to Credential Data Leak
**Severity**: HIGH (CVSS ~7.5)
**Type**: CWE-200 (Exposure of Sensitive Information)
**File**: `packages/server/src/services/credentials/index.ts:62-71`
**Description**: When credentials are fetched with a `credentialName` filter parameter, the `encryptedData` field is NOT stripped from the response. The code properly omits `encryptedData` when NO filter is used (line 102) but fails to do so when a filter IS used (lines 62-63, 70-71).
Credential Data Leak
**Evidence**:
```typescript
// Lines 62-63: WITH filter - encryptedData LEAKED
const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)
dbResponse.push(...credentials) // encryptedData NOT removed!
// Lines 100-102: WITHOUT filter - encryptedData prop
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published