{"data":{"id":"0633adfc-bdf6-4cf6-99eb-7d74d7b4884e","title":"GHSA-4jpm-cgx2-8h37: Flowise: Sensitive Data Leak in public-chatbotConfig ","summary":"A Flowise endpoint called /api/v1/public-chatbotConfig/:id exposes sensitive information like API keys and authentication headers without requiring a password or login. An attacker who knows only a chatflow UUID (a unique identifier for a workflow) can retrieve stored credentials and internal URLs by sending a simple web request to this endpoint.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-4jpm-cgx2-8h37","publishedAt":"2026-04-16T21:44:49.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":["flowise@<= 3.0.13 (fixed: 3.1.0)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-16T21:44:49.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}