Flowise Unauthenticated OAuth 2.0 Access Token Disclosure
Flowise versions 3.0.13 and earlier contain an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow.
Flowise is vulnerable to unauthenticated OAuth 2.0 access token disclosure in versions 3.0.13 and earlier. The vulnerability stems from the exposure of internal flowData via the /api/v1/public-chatbotConfig/<chatflowId> endpoint, which includes OAuth credential identifiers. Subsequently, the /api/v1/oauth2-credential/refresh/<credentialId> endpoint allows OAuth 2.0 tokens to be refreshed without authentication. Combining these two weaknesses, an attacker can retrieve chatflowId values from public chatflows and then obtain valid OAuth 2.0 access tokens without authentication, potentially leading to unauthorized data access and account compromise. This issue affects self-hosted Flowise deployments because public chatflows are designed for unauthenticated access.
Attack Chain
- The attacker identifies a self-hosted Flowise instance running a vulnerable version (<= 3.0.13).
- The attacker accesses a public chatflow, obtaining the
chatflowIdfrom the URL, embedded widget, or browser network requests. Example:d37b9812-72c1-4c64-b152-665f307f755e. - The attacker sends an unauthenticated GET request to
/api/v1/public-chatbotConfig/<chatflowId>to retrieve the internalflowData. - The server responds with the
flowData, which includes an OAuth credential identifier (credentialfield). Example:"credential": "6efe0e20-ba6f-4fbb-9960-658feffa0542". - The attacker crafts an unauthenticated POST request to
/api/v1/oauth2-credential/refresh/<credentialId>, using the obtained credential identifier. - The server, lacking authentication checks, refreshes the OAuth 2.0 token.
- The server responds with valid OAuth 2.0 access token data, including an
access_token. - The attacker uses the obtained OAuth 2.0 access token to access third-party services, potentially leading to unauthorized data access or account compromise.
Impact
Successful exploitation allows an unauthenticated attacker to obtain OAuth 2.0 access tokens for third-party services configured within Flowise. This unauthorized access can result in data breaches, API abuse, or full account compromise on the third-party services. This is especially critical for self-hosted deployments where public chatflows are exposed to the internet. The number of affected instances is currently unknown, but any Flowise instance with public chatflows using OAuth 2.0 is potentially vulnerable.
Recommendation
- Upgrade Flowise to a version higher than 3.0.13 to patch the vulnerability.
- Monitor web server logs for requests to
/api/v1/public-chatbotConfig/and/api/v1/oauth2-credential/refresh/without prior authentication as indicated by the rule "Detect Unauthenticated OAuth2 Credential Refresh". - Implement rate limiting on the
/api/v1/oauth2-credential/refresh/endpoint to mitigate potential abuse. - Deploy the Sigma rules provided in this brief to your SIEM to detect exploitation attempts in real-time.
- Review existing Flowise deployments for exposed public chatflows using OAuth 2.0 credentials.
Detection coverage 2
Detect Unauthenticated Public Chatbot Config Access
mediumDetects unauthenticated access to the public chatbot configuration endpoint in Flowise, which could indicate an attempt to retrieve OAuth credential identifiers.
Detect Unauthenticated OAuth2 Credential Refresh
highDetects unauthenticated requests to refresh OAuth2 credentials in Flowise. Successful exploitation leads to unauthorized access token retrieval.
Detection queries are available on the platform. Get full rules →