Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Flowise: Sensitive Data Leaked in Public Chatbot Configuration
GHSA-4jpm-cgx2-8h37
Summary
Flowise's public chatbot configuration API allows unauthorized access to sensitive data, including API keys and login credentials, by using a chatflow UUID. This can lead to data theft and unauthorized access. Flowise users should review their chatbot configurations and ensure they are not exposing sensitive information.
What to do
- Update henryheng flowise to version 3.1.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | henryheng | flowise |
<= 3.0.13 Fix: upgrade to 3.1.0
|
Original title
Flowise: Sensitive Data Leak in public-chatbotConfig
Original description
### Summary
`/api/v1/public-chatbotConfig/:id `ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.
### Details
Knowledge of chatflow UUID can be obtained from embedded chat widgets, referrer headers or logs and it's the only prerequest.
`getSinglePublicChatbotConfig` function in `packages/server/src/services/chatflows/index.ts` returns the full **flowData** object without authorization check or data sanitization.
There is a comment as **"Safe as public endpoint as chatbotConfig doesn't contain sensitive credential"** but **flowData** does contain sensitive data such as:
`type: 'password'` fields are stored in plaintext (unstructuredAPIKey in S3File node).
HTTP Authorization headers in POST / GET Requests nodes.
Internal API endpoints and webhook URLs.
### PoC
- Add an S3 File node, set "File Processing Method" to "Unstructured".
- Enter an API key in "Unstructured API KEY" field or add a Requests Post node with Authorization header.
- Save the chatflow.
`curl -s "https://localhost/api/v1/public-chatbotConfig/{CHATFLOW_UUID}"`
Response:
```
{
"flowData": "{...\"unstructuredAPIKey\":\"victim_key\"...\"requestsPostHeaders\":\"Bearer victim_token\"...}"
}
```
### Impact
Impacts all Flowise Cloud users with chatflows containing password type fields or any HTTP headers. And self hosted Flowise instances exposed to the internet.
`/api/v1/public-chatbotConfig/:id `ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.
### Details
Knowledge of chatflow UUID can be obtained from embedded chat widgets, referrer headers or logs and it's the only prerequest.
`getSinglePublicChatbotConfig` function in `packages/server/src/services/chatflows/index.ts` returns the full **flowData** object without authorization check or data sanitization.
There is a comment as **"Safe as public endpoint as chatbotConfig doesn't contain sensitive credential"** but **flowData** does contain sensitive data such as:
`type: 'password'` fields are stored in plaintext (unstructuredAPIKey in S3File node).
HTTP Authorization headers in POST / GET Requests nodes.
Internal API endpoints and webhook URLs.
### PoC
- Add an S3 File node, set "File Processing Method" to "Unstructured".
- Enter an API key in "Unstructured API KEY" field or add a Requests Post node with Authorization header.
- Save the chatflow.
`curl -s "https://localhost/api/v1/public-chatbotConfig/{CHATFLOW_UUID}"`
Response:
```
{
"flowData": "{...\"unstructuredAPIKey\":\"victim_key\"...\"requestsPostHeaders\":\"Bearer victim_token\"...}"
}
```
### Impact
Impacts all Flowise Cloud users with chatflows containing password type fields or any HTTP headers. And self hosted Flowise instances exposed to the internet.
ghsa CVSS4.0
7.7
Vulnerability type
CWE-200
Information Exposure
CWE-522
Insufficiently Protected Credentials
CWE-862
Missing Authorization
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026