Flowise Text-to-Speech API Credit Abuse via Unauthenticated Endpoint
The Flowise text-to-speech generation endpoint is vulnerable to unauthorized access due to accepting arbitrary credential IDs in the request body, enabling attackers to use victim's API keys for services like OpenAI and ElevenLabs, consume their API credits, and generate unlimited speech content at the victim's expense; this affects Flowise versions 3.0.13 and earlier.
Flowise is vulnerable to an unauthenticated API credit abuse issue affecting the text-to-speech (TTS) generation endpoint (/api/v1/text-to-speech/generate). This vulnerability exists because the endpoint is whitelisted and accepts a credentialId directly within the request body. An attacker can exploit this by sending a POST request to the TTS endpoint with a valid credentialId obtained from a victim, bypassing authentication checks when the chatflowId is not provided. This allows unauthorized use of the victim's linked services such as OpenAI, ElevenLabs, Azure, or Google TTS services, leading to the depletion of API credits and the generation of arbitrary audio content at their cost. The vulnerability impacts Flowise versions up to and including version 3.0.13.
Attack Chain
- Attacker identifies a vulnerable Flowise instance running version 3.0.13 or earlier.
- Attacker gains knowledge of a valid
credentialIdassociated with a victim's linked TTS service (e.g., OpenAI, ElevenLabs). This might be through exposed API endpoints from a separate finding, or through other means. - Attacker crafts a POST request to
/api/v1/text-to-speech/generate, omitting thechatflowIdparameter. - The POST request includes the attacker-controlled
credentialIdin the body along with parameters forprovider,voice, andmodelfor the TTS generation. - The vulnerable endpoint processes the request without authentication due to its whitelisted status in
packages/server/src/utils/constants.ts. - The endpoint utilizes the provided
credentialIdto decrypt and use the stored API key for the specified TTS provider (OpenAI, ElevenLabs, etc.). - The endpoint initiates TTS generation using the victim's API credentials.
- The attacker successfully generates speech content, consuming the victim's API credits without authorization, demonstrating abuse of resource-development capabilities.
Impact
Successful exploitation of this vulnerability allows an attacker to use a victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization. This can result in the unauthorized consumption of API credits from the victim's account, potentially incurring significant financial costs. The attacker can generate unlimited speech content at the victim's expense, causing further financial strain and potential disruption of service. When combined with other vulnerabilities that expose credential IDs, the exploitability of this issue is greatly increased.
Recommendation
- Apply the suggested fix by removing the TTS endpoint from
WHITELIST_URLSinpackages/server/src/utils/constants.tsor implement credential validation to ensure thecredentialIdbelongs to the chatflow being used. - Monitor web server logs for POST requests to
/api/v1/text-to-speech/generatewithout achatflowIdparameter as indicated in the rule "Detect Flowise Unauthenticated TTS Request". - Review and restrict access to any APIs or endpoints that may expose
credentialIdvalues to prevent attackers from obtaining valid credentials for this exploit.
Detection coverage 2
Detect Flowise Unauthenticated TTS Request
highDetects POST requests to the Flowise text-to-speech endpoint without a chatflowId, indicating potential unauthorized access.
Detect Flowise TTS Request with Credential ID
mediumDetects POST requests to the Flowise text-to-speech endpoint containing a credentialId in the request body.
Detection queries are available on the platform. Get full rules →