GHSA-php6-83fg-gw3g

Suggest an improvement
Source
https://github.com/advisories/GHSA-php6-83fg-gw3g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-php6-83fg-gw3g/GHSA-php6-83fg-gw3g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-php6-83fg-gw3g
Aliases
  • CVE-2026-46440
Published
2026-05-14T14:54:46Z
Modified
2026-06-09T13:15:14.363089668Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
FlowiseAI Exposes Basic Auth Credentials via API
Details

Detection Method: Kolega.dev Deep Code Scan

| Attribute | Value | |---|---| | Severity | Medium | | CWE | CWE-522 (Insufficiently Protected Credentials) | | Location | packages/server/src/enterprise/controllers/account.controller.ts:128-135 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai |

Description

The checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison.

Affected Code

public async checkBasicAuth(req: Request, res: Response) {
    const { username, password } = req.body
    if (username === process.env.FLOWISE_USERNAME && password === process.env.FLOWISE_PASSWORD) {
        return res.json({ message: 'Authentication successful' })

Evidence

Credentials are sent in plaintext in request body and compared directly without hashing. No rate limiting prevents brute force attacks. The endpoint returns different messages for success/failure, enabling enumeration.

Impact

Credential brute-forcing - attackers can attempt unlimited username/password combinations against the basic auth system. Successful attacks grant access to the application.

Recommendation

1) Implement rate limiting on this endpoint, 2) Use constant-time comparison to prevent timing attacks, 3) Consider using hashed comparison, 4) Return generic error messages, 5) Add logging for failed attempts.

Notes

The checkBasicAuth endpoint at line 128-135 has multiple security issues: (1) No rate limiting - the RateLimiterManager only applies to chatflow-specific endpoints, not auth endpoints. Attackers can perform unlimited brute force attempts. (2) Uses JavaScript === operator for comparison which is not constant-time, potentially enabling timing attacks. (3) Returns different messages for success ('Authentication successful') vs failure ('Authentication failed'), enabling credential enumeration. The endpoint compares plaintext credentials against environment variables FLOWISEUSERNAME and FLOWISEPASSWORD. While this is basic auth for simpler deployments, the lack of rate limiting makes it actively exploitable for credential brute-forcing.

Database specific 
{
    "github_reviewed_at": "2026-05-14T14:54:46Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-522"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-06-08T16:16:41Z"
}
References

Affected packages

npm / flowise

Package

Name
flowise
View open source insights on deps.dev
Purl
pkg:npm/flowise

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-php6-83fg-gw3g/GHSA-php6-83fg-gw3g.json"
last_known_affected_version_range 
"<= 3.1.1"