Vulnerability Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flowiseai | Flowise | < 3.0.13 |
Related Weaknesses (CWE)
References
- https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13ProductRelease Notes
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vqExploitVendor Advisory
FAQ
What is CVE-2026-30820?
CVE-2026-30820 is a vulnerability with a CVSS score of 8.8 (HIGH). Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing...
How severe is CVE-2026-30820?
CVE-2026-30820 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30820?
Check the references section above for vendor advisories and patch information. Affected products include: Flowiseai Flowise.