CVE-2026-30820

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30820

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30820.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30820

Aliases

GHSA-wvhq-wp8g-c7vq

Published

2026-03-07T05:07:44.381Z

Modified

2026-04-02T13:23:12.603477Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Flowise Authorization Bypass via Spoofed x-request-from Header

Details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30820.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / github.com/flowiseai/flowise

Affected ranges

Type: GIT
Repo: https://github.com/flowiseai/flowise
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f0c1294173a55f26e0b972c39c0c16917f5ca9e7

Affected versions

flowise-components@1.*

flowise-components@1.0.0

flowise-components@1.1.0

flowise-components@1.1.1

flowise-components@1.2.1

flowise-components@1.2.10

flowise-components@1.2.11

flowise-components@1.2.12

flowise-components@1.2.13

flowise-components@1.2.14

flowise-components@1.2.15

flowise-components@1.2.16

flowise-components@1.2.17

flowise-components@1.2.2

flowise-components@1.2.3

flowise-components@1.2.4

flowise-components@1.2.5

flowise-components@1.2.6

flowise-components@1.2.7

flowise-components@1.2.8

flowise-components@1.2.9

flowise-components@1.3.0

flowise-components@1.3.1

flowise-components@1.3.10

flowise-components@1.3.11

flowise-components@1.3.2

flowise-components@1.3.3

flowise-components@1.3.4

flowise-components@1.3.5

flowise-components@1.3.7

flowise-components@1.3.8

flowise-components@1.3.9

flowise-components@1.4.0

flowise-components@1.4.0-rc.1

flowise-components@1.4.1

flowise-components@1.4.2

flowise-components@1.4.3

flowise-components@1.4.6

flowise-components@1.4.7

flowise-components@1.4.8

flowise-components@1.4.9

flowise-components@1.5.0

flowise-components@1.5.1

flowise-components@1.5.2

flowise-components@1.5.3

flowise-components@1.6.0

flowise-components@1.6.1

flowise-components@1.6.2

flowise-components@1.6.3

flowise-components@1.6.4

flowise-components@1.6.5

flowise-components@1.6.6

flowise-components@1.6.7

flowise-components@1.6.8

flowise-components@1.7.0

flowise-components@1.7.1

flowise-components@1.7.2

flowise-components@1.8.0

flowise-components@1.8.1

flowise-components@1.8.3

flowise-components@1.8.4

flowise-components@1.8.6

flowise-components@2.*

flowise-components@2.0.0

flowise-components@2.0.1

flowise-components@2.0.2

flowise-components@2.0.3

flowise-components@2.0.4

flowise-components@2.0.5

flowise-components@2.0.6

flowise-components@2.0.7

flowise-components@2.1.0

flowise-components@2.1.1

flowise-components@2.1.2

flowise-components@2.1.3

flowise-components@2.1.4

flowise-components@2.1.5

flowise-components@2.2.0

flowise-components@2.2.1

flowise-components@2.2.2

flowise-components@2.2.3

flowise-components@2.2.4

flowise-components@2.2.5

flowise-components@2.2.6

flowise-components@2.2.7

flowise-components@2.2.7-patch.1

flowise-components@2.2.8

flowise-components@3.*

flowise-components@3.0.0

flowise-components@3.0.1

flowise-components@3.0.10

flowise-components@3.0.11

flowise-components@3.0.12

flowise-components@3.0.2

flowise-components@3.0.3

flowise-components@3.0.4

flowise-components@3.0.5

flowise-components@3.0.6

flowise-components@3.0.7

flowise-components@3.0.8

flowise-components@3.0.9

flowise-embed@1.*

flowise-embed@1.0.1

flowise-ui@1.*

flowise-ui@1.0.0

flowise-ui@1.1.0

flowise-ui@1.2.0

flowise-ui@1.2.1

flowise-ui@1.2.10

flowise-ui@1.2.11

flowise-ui@1.2.12

flowise-ui@1.2.13

flowise-ui@1.2.14

flowise-ui@1.2.15

flowise-ui@1.2.2

flowise-ui@1.2.3

flowise-ui@1.2.4

flowise-ui@1.2.5

flowise-ui@1.2.6

flowise-ui@1.2.7

flowise-ui@1.2.9

flowise-ui@1.3.0

flowise-ui@1.3.1

flowise-ui@1.3.2

flowise-ui@1.3.3

flowise-ui@1.3.4

flowise-ui@1.3.5

flowise-ui@1.3.6

flowise-ui@1.3.7

flowise-ui@1.4.0

flowise-ui@1.4.0-rc.1

flowise-ui@1.4.1

flowise-ui@1.4.2

flowise-ui@1.4.3

flowise-ui@1.4.4

flowise-ui@1.4.5

flowise-ui@1.4.6

flowise-ui@1.4.7

flowise-ui@1.4.8

flowise-ui@1.4.9

flowise-ui@1.5.0

flowise-ui@1.5.1

flowise-ui@1.6.0

flowise-ui@1.6.1

flowise-ui@1.6.2

flowise-ui@1.6.3

flowise-ui@1.6.4

flowise-ui@1.6.5

flowise-ui@1.6.6

flowise-ui@1.7.0

flowise-ui@1.7.1

flowise-ui@1.7.2

flowise-ui@1.8.0

flowise-ui@1.8.1

flowise-ui@1.8.2

flowise-ui@1.8.3

flowise-ui@1.8.4

flowise-ui@2.*

flowise-ui@2.0.0

flowise-ui@2.0.1

flowise-ui@2.0.2

flowise-ui@2.0.3

flowise-ui@2.0.4

flowise-ui@2.0.5

flowise-ui@2.0.6

flowise-ui@2.0.7

flowise-ui@2.1.0

flowise-ui@2.1.1

flowise-ui@2.1.2

flowise-ui@2.1.3

flowise-ui@2.1.4

flowise-ui@2.1.5

flowise-ui@2.2.0

flowise-ui@2.2.1

flowise-ui@2.2.2

flowise-ui@2.2.3

flowise-ui@2.2.4

flowise-ui@2.2.5

flowise-ui@2.2.6

flowise-ui@2.2.7

flowise-ui@2.2.7-patch.1

flowise-ui@2.2.8

flowise-ui@3.*

flowise-ui@3.0.0

flowise-ui@3.0.1

flowise-ui@3.0.10

flowise-ui@3.0.11

flowise-ui@3.0.12

flowise-ui@3.0.2

flowise-ui@3.0.3

flowise-ui@3.0.4

flowise-ui@3.0.5

flowise-ui@3.0.6

flowise-ui@3.0.7

flowise-ui@3.0.8

flowise-ui@3.0.9

flowise@1.*

flowise@1.0.0

flowise@1.0.1

flowise@1.1.0

flowise@1.1.1

flowise@1.2.1

flowise@1.2.10

flowise@1.2.11

flowise@1.2.12

flowise@1.2.13

flowise@1.2.14

flowise@1.2.15

flowise@1.2.16

flowise@1.2.2

flowise@1.2.3

flowise@1.2.4

flowise@1.2.5

flowise@1.2.6

flowise@1.2.7

flowise@1.2.8

flowise@1.2.9

flowise@1.3.0

flowise@1.3.1

flowise@1.3.2

flowise@1.3.3

flowise@1.3.4

flowise@1.3.5

flowise@1.3.6

flowise@1.3.7

flowise@1.3.8

flowise@1.3.9

flowise@1.4.0

flowise@1.4.0-rc.1

flowise@1.4.1

flowise@1.4.10

flowise@1.4.11

flowise@1.4.12

flowise@1.4.2

flowise@1.4.3

flowise@1.4.4

flowise@1.4.5

flowise@1.4.6

flowise@1.4.7

flowise@1.4.8

flowise@1.4.9

flowise@1.5.0

flowise@1.5.1

flowise@1.6.0

flowise@1.6.1

flowise@1.6.2

flowise@1.6.3

flowise@1.6.4

flowise@1.6.5

flowise@1.6.6

flowise@1.7.0

flowise@1.7.1

flowise@1.7.2

flowise@1.8.0

flowise@1.8.1

flowise@1.8.2

flowise@1.8.3

flowise@1.8.4

flowise@2.*

flowise@2.0.0

flowise@2.0.1

flowise@2.0.2

flowise@2.0.3

flowise@2.0.4

flowise@2.0.5

flowise@2.0.6

flowise@2.0.7

flowise@2.1.0

flowise@2.1.1

flowise@2.1.2

flowise@2.1.3

flowise@2.1.4

flowise@2.1.5

flowise@2.2.0

flowise@2.2.1

flowise@2.2.2

flowise@2.2.3

flowise@2.2.4

flowise@2.2.5

flowise@2.2.6

flowise@2.2.6-hotfix.1

flowise@2.2.7

flowise@2.2.7-patch.1

flowise@2.2.8

flowise@3.*

flowise@3.0.0

flowise@3.0.1

flowise@3.0.10

flowise@3.0.11

flowise@3.0.12

flowise@3.0.2

flowise@3.0.3

flowise@3.0.4

flowise@3.0.5

flowise@3.0.6

flowise@3.0.7

flowise@3.0.8

flowise@3.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30820.json"