CVE-2026-46440 | THREATINT

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-08 | Updated 2026-06-08 | Assigner GitHub_M

HIGH: 7.5CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-522: Insufficiently Protected Credentials

Product status

< 3.1.2

affected

References

github.com/...lowise/security/advisories/GHSA-php6-83fg-gw3g exploit

github.com/...lowise/security/advisories/GHSA-php6-83fg-gw3g

github.com/FlowiseAI/Flowise/releases/tag/flowise@3.1.2

cve.org (CVE-2026-46440)

nvd.nist.gov (CVE-2026-46440)

Download JSON