CVE-2026-30820 HIGH

CVE-2026-30820: Flowise Authorization Bypass via Spoofed x-request-from Header

Vendor Flowiseai
Product Flowise
Weakness CWE-863 · Incorrect authorization
Published March 7, 2026
Last update March 9, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
March 9, 2026 Record updated