Attack Chain

1. An attacker authenticates to the FlowiseAI instance using a valid API key.
2. The attacker sends a POST request to /api/v1/openai-assistants-vector-store to create a new vector store.
3. The application, lacking permission checks, creates the new vector store without validating the user’s privileges.
4. The attacker sends a POST request to /api/v1/openai-assistants-vector-store/{id} to upload malicious files to the created vector store, exploiting the missing checks on file upload.
5. The attacker sends a PUT request to /api/v1/openai-assistants-vector-store/{id} to modify the vector store’s configuration or data.
6. Alternatively, the attacker sends a DELETE request to /api/v1/openai-assistants-vector-store/{id} to delete vector stores and associated files.
7. The application executes the requested operation without proper authorization validation, leading to data manipulation or deletion.

Impact

Successful exploitation of this vulnerability allows any authenticated user to manipulate OpenAI vector stores within FlowiseAI. This can lead to the upload of malicious files, unauthorized deletion of sensitive data, exfiltration of stored documents, or modification of vector store configurations. This privilege escalation could allow an attacker to compromise the integrity and confidentiality of data stored within FlowiseAI.

Recommendation

• Deploy the Sigma rule provided below to detect unauthorized creation of vector stores via the /api/v1/openai-assistants-vector-store endpoint.
• Deploy the Sigma rule provided below to detect unauthorized deletion of vector stores and files via the /api/v1/openai-assistants-vector-store/{id} endpoint.
• Upgrade FlowiseAI to a patched version greater than 3.1.1 to remediate the missing authentication and permission checks.
• Implement robust access control mechanisms and permission validation on all API endpoints to prevent unauthorized data manipulation.