Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-v5w9-prxf-w882

Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
Back to all
CVE

GHSA-v5w9-prxf-w882

Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)

Summary

An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authentication.

Details

Critical vulnerability in Flowise 3.0.1 on-premise deployment allows unauthenticated attackers to exploit the /api/v1/account/register endpoint to add a new user and log in using it, enabling authentication bypass.

Meaning that the register functionality is by default open, allowing attackers to create an account and use the api without any restrictions or credentials.

PoC

A Flowise 3.0.1 instance was deployed via Docker for the purpose of this demonstration.

!1 Docker

After successful deployment the instance setup organization page allows us to register the first account in the system.

!1 newly deployed instance

Creating the first user research@evasec.io

!2 configuring account

Login to the account

!2 Login

The background request that created the first user to /api/v1/account/register 

!3 request

Response

!3 1 response

We have found that it is possible to reuse the registration request multiple times without any restrictions to create an account and authenticate to the system using it.

Crafting a new request 

{

    "user": {

        "name": "Malicious",

        "email": "attacker@attack.io", 

        "type": "pro",

        "credential": "Password123!"

    }

}

!4 attacker new register

Response with 201 code “Created”

!4 1 created

Login using newly created user (attacker)

!5 Login using attacker

Success login

!6 Susccess auth bypass

An unauthorized user can exploit this vulnerability to register an account and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication. 

Impact

This is an authentication bypass vulnerability caused by an unprotected registration endpoint (/register).

Users of Flowise 3.0.1(latest) on-premise deployments are impacted. An unauthorized attacker can exploit this vulnerability to register an account after the organization set has been completed, and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v5w9-prxf-w882, https://github.com/FlowiseAI/Flowise

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading