📄 Description (English)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. This vulnerability is fixed in 3.1.0.
🤖 AI Executive Summary
Flowise versions prior to 3.1.0 expose sensitive credential data including API keys and passwords through unauthenticated public chatflow endpoints. The GET /api/v1/public-chatflows/:id endpoint returns complete, unsanitized flowData containing plaintext credentials and credential IDs. This critical information disclosure vulnerability affects organizations using Flowise for LLM deployments and is actively exploitable with no patch currently available for production systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 2, 2026 06:54
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations leveraging Flowise for AI/LLM implementations face critical exposure of API credentials and authentication tokens. High-risk sectors include: (1) Banking & Financial Services (SAMA-regulated) using Flowise for customer service chatbots and financial advisory LLMs; (2) Government agencies (NCA oversight) deploying Flowise for citizen services; (3) Healthcare providers using LLM chatflows for patient interaction; (4) Telecommunications (STC, Mobily) integrating Flowise for customer support; (5) Energy sector (ARAMCO, utilities) using LLM flows for operational support. Exposed credentials could enable lateral movement into backend systems, API abuse, and unauthorized access to sensitive business logic and customer data.
🏢 Affected Saudi Sectors
Banking & Financial Services
Government & Public Administration
Healthcare & Medical Services
Telecommunications
Energy & Utilities
E-commerce & Retail
Insurance
Education
🎯 MITRE ATT&CK Techniques
T1526 - Exposure of Sensitive Information (plaintext credentials in API responses)
T1589 - Gather Victim Identity Information (credential harvesting from public endpoints)
T1110 - Brute Force (exposed API keys enable unauthorized access)
T1021 - Remote Services (compromised credentials enable lateral movement)
T1552 - Unsecured Credentials (credentials stored and exposed in flowData)
T1040 - Traffic Capture or Redirection (credentials transmitted in cleartext responses)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all Flowise deployments: identify instances running versions <3.1.0 and document all public chatflows
2. Disable public chatflow endpoints immediately: set all public-chatflows to private or restrict network access via WAF/firewall rules
3. Rotate all exposed credentials: regenerate API keys, passwords, and tokens that may have been exposed through public endpoints
4. Review access logs: check for unauthorized access to /api/v1/public-chatflows/ and /api/v1/public-chatbotConfig endpoints (look for non-standard User-Agents, unusual IP ranges, high request volumes)
PATCHING GUIDANCE:
1. Upgrade to Flowise 3.1.0 or later immediately when available in your deployment environment
2. For Docker deployments: pull latest image and redeploy with credential rotation
3. Test sanitization in staging: verify sanitizeFlowDataForPublicEndpoint function is active post-upgrade
COMPENSATING CONTROLS (if upgrade delayed):
1. Implement WAF rules blocking access to /api/v1/public-chatflows and /api/v1/public-chatbotConfig endpoints
2. Deploy reverse proxy authentication requiring API keys for all Flowise endpoints
3. Network segmentation: isolate Flowise instances from production systems
4. Implement request logging and alerting on public endpoint access
DETECTION RULES:
1. Monitor for GET requests to /api/v1/public-chatflows/* with response sizes >10KB (indicates full flowData exposure)
2. Alert on /api/v1/public-chatbotConfig access patterns
3. Search logs for patterns: 'credential', 'apiKey', 'password' in HTTP responses from Flowise endpoints
4. Detect credential exfiltration: monitor for API key usage from unexpected sources post-exposure
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع نشرات Flowise: تحديد الحالات التي تعمل بإصدارات <3.1.0 وتوثيق جميع chatflows العامة
2. تعطيل نقاط نهاية chatflow العامة فوراً: تعيين جميع public-chatflows على خاص أو تقييد الوصول إلى الشبكة عبر قواعد WAF/جدار الحماية
3. تدوير جميع بيانات الاعتماد المكشوفة: إعادة إنشاء مفاتيح API وكلمات المرور والرموز التي قد تكون قد تعرضت من خلال نقاط النهاية العامة
4. مراجعة سجلات الوصول: التحقق من الوصول غير المصرح به إلى نقاط نهاية /api/v1/public-chatflows/ و /api/v1/public-chatbotConfig (ابحث عن User-Agents غير القياسية ونطاقات IP غير المعتادة وأحجام الطلبات العالية)
إرشادات التصحيح:
1. الترقية إلى Flowise 3.1.0 أو أحدث فوراً عند توفره في بيئة النشر الخاصة بك
2. لنشرات Docker: اسحب أحدث صورة وأعد النشر مع تدوير بيانات الاعتماد
3. اختبار التطهير في التدريج: تحقق من أن وظيفة sanitizeFlowDataForPublicEndpoint نشطة بعد الترقية
الضوابط التعويضية (إذا تأخر الترقية):
1. تنفيذ قواعد WAF تحظر الوصول إلى نقاط نهاية /api/v1/public-chatflows و /api/v1/public-chatbotConfig
2. نشر مصادقة reverse proxy تتطلب مفاتيح API لجميع نقاط نهاية Flowise
3. تقسيم الشبكة: عزل حالات Flowise عن الأنظمة الإنتاجية
4. تنفيذ تسجيل الطلبات والتنبيهات على أنماط الوصول إلى نقطة النهاية العامة
قواعد الكشف:
1. مراقبة طلبات GET إلى /api/v1/public-chatflows/* بأحجام استجابة >10KB (يشير إلى كشف flowData الكامل)
2. التنبيه على أنماط الوصول /api/v1/public-chatbotConfig
3. البحث في السجلات عن الأنماط: 'credential' و 'apiKey' و 'password' في استجابات HTTP من نقاط نهاية Flowise
4. كشف تسرب بيانات الاعتماد: مراقبة استخدام مفاتيح API من مصادر غير متوقعة بعد التعرض
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies (credential exposure violates secure configuration requirements)
ECC 2024 A.6.1.2 - Access Control (public endpoints expose sensitive data without authentication)
ECC 2024 A.8.2.1 - Cryptography (plaintext API keys and passwords exposed)
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities (unpatched public disclosure vulnerability)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (inventory and manage all Flowise instances)
SAMA CSF PR.AC-1 - Access Control (enforce authentication on all endpoints)
SAMA CSF PR.DS-1 - Data Security (protect credentials and sensitive data)
SAMA CSF DE.CM-1 - Detection and Analysis (monitor for unauthorized access to public endpoints)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1.1 - Policies for information security (credential management policy)
ISO 27001:2022 A.6.1.2 - Information security roles and responsibilities
ISO 27001:2022 A.8.2.1 - Cryptographic controls (protection of API keys)
ISO 27001:2022 A.8.3.1 - Separation of duties (public vs. private endpoint access)
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities and exposures
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default security parameters (Flowise default public exposure)
PCI DSS 3.2.1 - Render PAN unreadable (API keys and credentials must be protected)
PCI DSS 6.2 - Security patches (upgrade to 3.1.0 when available)
PCI DSS 10.2.1 - Implement automated audit trails (monitor public endpoint access)
📦 Affected Products / CPE 1 entries
flowiseai:flowise