VYPR
← All advisories
High severity7.5NVD Advisory· Published May 14, 2026· Updated May 14, 2026

FlowiseAI Exposes Basic Auth Credentials via API

CVE-2026-46440

Description

Detection Method: Kolega.dev Deep Code Scan

| Attribute | Value | |---|---| | Severity | Medium | | CWE | CWE-522 (Insufficiently Protected Credentials) | | Location | packages/server/src/enterprise/controllers/account.controller.ts:128-135 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai |

Description

The checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison.

Affected

Code `` public async checkBasicAuth(req: Request, res: Response) { const { username, password } = req.body if (username === process.env.FLOWISE_USERNAME && password === process.env.FLOWISE_PASSWORD) { return res.json({ message: 'Authentication successful' }) ``

Evidence

Credentials are sent in plaintext in request body and compared directly without hashing. No rate limiting prevents brute force attacks. The endpoint returns different messages for success/failure, enabling enumeration.

Impact

Credential brute-forcing - attackers can attempt unlimited username/password combinations against the basic auth system. Successful attacks grant access to the application.

### Recommendation 1) Implement rate limiting on this endpoint, 2) Use constant-time comparison to prevent timing attacks, 3) Consider using hashed comparison, 4) Return generic error messages, 5) Add logging for failed attempts.

Notes

The checkBasicAuth endpoint at line 128-135 has multiple security issues: (1) No rate limiting - the RateLimiterManager only applies to chatflow-specific endpoints, not auth endpoints. Attackers can perform unlimited brute force attempts. (2) Uses JavaScript === operator for comparison which is not constant-time, potentially enabling timing attacks. (3) Returns different messages for success ('Authentication successful') vs failure ('Authentication failed'), enabling credential enumeration. The endpoint compares plaintext credentials against environment variables FLOWISE_USERNAME and FLOWISE_PASSWORD. While this is basic auth for simpler deployments, the lack of rate limiting makes it actively exploitable for credential brute-forcing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The checkBasicAuth endpoint in Flowise validates credentials in plaintext without rate limiting, enabling brute-force attacks and credential enumeration.

Vulnerability

The checkBasicAuth endpoint in packages/server/src/enterprise/controllers/account.controller.ts (lines 128–135) performs plaintext comparison of credentials against the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables using the JavaScript === operator, which is not constant-time [1][3][4]. The endpoint lacks any rate limiting, and the RateLimiterManager is not applied to auth endpoints, allowing unlimited authentication attempts [3][4]. Affected versions are those prior to the fix included in release flowise@3.1.2 [1] (though the specific commit for this issue is not explicitly listed in that release, the advisory indicates the issue exists in the codebase at the described location).

Exploitation

An attacker can send arbitrary username and password values in the request body to the /api/v1/checkBasicAuth endpoint without any rate limit enforcement [3][4]. The endpoint returns distinct messages: 'Authentication successful' on success and 'Authentication failed' on failure, enabling credential enumeration (user discovery) [2][3][4]. Because the comparison uses the === operator (not a constant-time function), a local/network attacker may also be able to perform timing attacks to deduce valid credentials character-by-character [3][4]. No authentication or prior access is required to reach the endpoint.

Impact

Successful credential brute-force or enumeration against the basic auth system grants the attacker authenticated access to the Flowise application [3][4]. This can lead to full compromise of the application's data and functionality, depending on the privileges of the basic auth user. The confidentiality and integrity of the system are at risk.

Mitigation

The vulnerability is addressed in the Flowise codebase; users should upgrade to version flowise@3.1.2 or later, which includes a fix for this issue [1][3][4]. As a workaround until upgrade, administrators can implement rate limiting on the checkBasicAuth endpoint (e.g., via a reverse proxy or WAF), enforce use of constant-time comparison (e.g., using crypto.timingSafeEqual), return generic error messages regardless of success/failure, and add logging for all authentication attempts as recommended in the advisory [3][4]. No KEV listing is currently available.

References
  1. Release flowise@3.1.2 · FlowiseAI/Flowise
  2. GitHub - FlowiseAI/Flowise: Build AI Agents, Visually
  3. CVE-2026-46440 - GitHub Advisory Database
  4. Basic Auth Credentials Exposed via API

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.