GHSA-7G73-99R4-M4MJ: GHSA-7G73-99R4-M4MJ: Credential Data Leak in FlowiseAI API Responses

#security #cve #cybersecurity #ghsa

GHSA-7G73-99R4-M4MJ: Credential Data Leak in FlowiseAI API Responses

Vulnerability ID: GHSA-7G73-99R4-M4MJ
CVSS Score: 7.5
Published: 2026-05-14

FlowiseAI versions prior to 3.1.2 suffer from a CWE-200 Information Exposure vulnerability. The application's credential management API inadvertently returns the encryptedData field containing ciphertext for sensitive integrations in its JSON responses.

TL;DR

An API serialization flaw in FlowiseAI < 3.1.2 leaks encrypted credentials in JSON responses. Attackers can harvest this ciphertext, facilitating complete credential compromise if the master encryption key is separately obtained.

Technical Details

CWE ID: CWE-200
Vulnerability Class: Information Exposure
Attack Vector: Network/API
Authentication Required: Yes (Access to endpoint)
Exploit Status: None
Affected Component: packages/server/src/services/credentials/index.ts

Affected Systems

FlowiseAI Application Server
flowise npm package
flowise: < 3.1.2 (Fixed in: 3.1.2)

Mitigation Strategies

Upgrade the flowise package to version 3.1.2 or later.
Implement response filtering on reverse proxies to block the transmission of the encryptedData key.
Rotate all credentials stored in Flowise if exploitation is suspected.

Remediation Steps:

Identify the currently deployed version of FlowiseAI.
Update the package using npm install -g flowise@3.1.2 or the equivalent container image.
Restart the Flowise application service.
Audit access logs for unauthorized GET requests to the /credentials endpoint.
Generate new API keys for all third-party services managed by Flowise and update the configurations.