Tag
The Flowise text-to-speech generation endpoint is vulnerable to unauthorized access due to accepting arbitrary credential IDs in the request body, enabling attackers to use victim's API keys for services like OpenAI and ElevenLabs, consume their API credits, and generate unlimited speech content at the victim's expense; this affects Flowise versions 3.0.13 and earlier.