Flowise Public Chatflow Endpoint Exposes Sensitive Data
Flowise versions 3.0.13 and earlier expose sensitive information, including credential IDs, plaintext API keys, and passwords, through the `GET /api/v1/public-chatflows/:id` endpoint, leading to account compromise and revealing internal architecture details.
Flowise, an open-source low-code platform for building AI orchestration flows, is vulnerable to sensitive information disclosure. Specifically, versions 3.0.13 and earlier fail to sanitize the flowData returned by the GET /api/v1/public-chatflows/:id and GET /api/v1/public-chatbotConfig/:id endpoints. This oversight exposes credential IDs, plaintext API keys, passwords, and internal node configurations to unauthorized users. The sanitizeFlowDataForPublicEndpoint function, intended to mitigate this issue, is either missing or not implemented correctly in the affected versions, leading to the leakage of sensitive information when a chatflow is marked as public. This vulnerability allows attackers to compromise third-party accounts and gain insights into the application's architecture.
Attack Chain
- An attacker identifies a Flowise instance running a vulnerable version (<= 3.0.13).
- The attacker discovers a public chatflow by guessing or enumerating available chatflow IDs.
- The attacker sends a
GETrequest to/api/v1/public-chatflows/:idor/api/v1/public-chatbotConfig/:id, where:idis the ID of the public chatflow. - The Flowise server responds with the full chatflow object, including the raw
flowData. - The
flowDatacontains unsanitized sensitive information such as credential IDs, plaintext API keys, and passwords stored within node configurations. - The attacker extracts the leaked credential IDs and uses them to attempt OAuth2 token theft.
- The attacker extracts API keys and passwords, using them to compromise third-party accounts or services integrated with the Flowise application.
- The attacker analyzes the node configurations to understand the internal architecture and endpoint URLs of the Flowise application, potentially identifying further vulnerabilities.
Impact
Successful exploitation of this vulnerability can lead to several critical consequences. Credential IDs leaked through the API can be used to steal OAuth2 tokens. Plaintext API keys and passwords within the flowData enable direct compromise of third-party accounts integrated with Flowise. The exposure of internal node configurations and endpoint URLs provides attackers with valuable information to further compromise the Flowise application and its connected services. While the specific number of affected instances is unknown, any Flowise deployment using publicly accessible chatflows with sensitive data in flowData is at risk.
Recommendation
- Deploy the Sigma rule
Detect Flowise Public Chatflow Data Exposureto identify instances attempting to access public chatflow endpoints (logsource:webserver). - Immediately upgrade Flowise instances to a version greater than 3.0.13 that includes the
sanitizeFlowDataForPublicEndpointfunction and ensures its proper implementation on bothpublic-chatflowsandpublic-chatbotConfigendpoints (reference: github advisory). - Rotate all API keys and passwords stored within Flowise
flowDataof publicly accessible chatflows (reference: overview). - Audit all existing public chatflows for sensitive data and remove any exposed credentials or secrets (reference: attack chain).
Detection coverage 2
Detect Flowise Public Chatflow Data Exposure
highDetects attempts to access the Flowise public chatflow endpoints which may expose sensitive data in vulnerable versions.
Detect Sensitive Keywords in Flowise Public Chatflow Responses
criticalDetects responses from Flowise public chatflow endpoints containing potential sensitive keywords indicating data exposure.
Detection queries are available on the platform. Get full rules →