{"data":{"id":"4ca134fa-55ca-4e7f-b88f-27360910f5de","title":"GHSA-wvhq-wp8g-c7vq: Flowise has Authorization Bypass via Spoofed x-request-from Header","summary":"Flowise has a critical authorization bypass flaw in its `/api/v1` routes where the middleware trusts any request with the header `x-request-from: internal`, even though this header can be spoofed by any user. This allows a low-privilege authenticated tenant (someone with a valid browser cookie) to call internal administration endpoints, like API key creation and credential management, without proper permission checks, effectively escalating their privileges.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-wvhq-wp8g-c7vq","publishedAt":"2026-03-06T18:48:22.000Z","cveId":"CVE-2026-30820","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["flowise@<= 3.0.12 (fixed: 3.0.13)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00057,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}