Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Flowise: Sensitive Data Exposed in Public Chatbot Config
GHSA-4jpm-cgx2-8h37
Summary
Flowise exposes sensitive data, including API keys and passwords, in public chatbot configurations without authentication. This means an attacker can access and steal sensitive information by knowing a chatflow ID. To protect yourself, ensure you have proper authentication and authorization in place for accessing chatbot configurations.
What to do
- Update henryheng flowise to version 3.1.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | henryheng | flowise |
< 3.1.0 Fix: upgrade to 3.1.0
|
Original title
Flowise: Sensitive Data Leak in public-chatbotConfig
Original description
### Summary
`/api/v1/public-chatbotConfig/:id `ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.
### Details
Knowledge of chatflow UUID can be obtained from embedded chat widgets, referrer headers or logs and it's the only prerequest.
`getSinglePublicChatbotConfig` function in `packages/server/src/services/chatflows/index.ts` returns the full **flowData** object without authorization check or data sanitization.
There is a comment as **"Safe as public endpoint as chatbotConfig doesn't contain sensitive credential"** but **flowData** does contain sensitive data such as:
`type: 'password'` fields are stored in plaintext (unstructuredAPIKey in S3File node).
HTTP Authorization headers in POST / GET Requests nodes.
Internal API endpoints and webhook URLs.
### PoC
- Add an S3 File node, set "File Processing Method" to "Unstructured".
- Enter an API key in "Unstructured API KEY" field or add a Requests Post node with Authorization header.
- Save the chatflow.
`curl -s "https://localhost/api/v1/public-chatbotConfig/{CHATFLOW_UUID}"`
Response:
```
{
"flowData": "{...\"unstructuredAPIKey\":\"victim_key\"...\"requestsPostHeaders\":\"Bearer victim_token\"...}"
}
```
### Impact
Impacts all Flowise Cloud users with chatflows containing password type fields or any HTTP headers. And self hosted Flowise instances exposed to the internet.
`/api/v1/public-chatbotConfig/:id `ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more.
### Details
Knowledge of chatflow UUID can be obtained from embedded chat widgets, referrer headers or logs and it's the only prerequest.
`getSinglePublicChatbotConfig` function in `packages/server/src/services/chatflows/index.ts` returns the full **flowData** object without authorization check or data sanitization.
There is a comment as **"Safe as public endpoint as chatbotConfig doesn't contain sensitive credential"** but **flowData** does contain sensitive data such as:
`type: 'password'` fields are stored in plaintext (unstructuredAPIKey in S3File node).
HTTP Authorization headers in POST / GET Requests nodes.
Internal API endpoints and webhook URLs.
### PoC
- Add an S3 File node, set "File Processing Method" to "Unstructured".
- Enter an API key in "Unstructured API KEY" field or add a Requests Post node with Authorization header.
- Save the chatflow.
`curl -s "https://localhost/api/v1/public-chatbotConfig/{CHATFLOW_UUID}"`
Response:
```
{
"flowData": "{...\"unstructuredAPIKey\":\"victim_key\"...\"requestsPostHeaders\":\"Bearer victim_token\"...}"
}
```
### Impact
Impacts all Flowise Cloud users with chatflows containing password type fields or any HTTP headers. And self hosted Flowise instances exposed to the internet.
osv CVSS4.0
7.5
Vulnerability type
CWE-200
Information Exposure
CWE-522
Insufficiently Protected Credentials
CWE-862
Missing Authorization
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026