CVE-2026-30820HIGH 8.8EPSS p37.4%

CVE-2026-30820CVE-2026-30820

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.4% · 2026-06-19T12:03:05Z
Published2026-03-07
Last modified2026-03-11

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13
  2. https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41273
CVE
CVE-2026-30823
CVE
CVE-2026-30824
CVE
CVE-2026-31829
CVE
CVE-2026-41271
CVE
CVE-2026-41267
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.