{"data":{"id":"9dcb39c2-f4cc-4724-86a6-8127f693abbc","title":"GHSA-php6-83fg-gw3g: FlowiseAI Exposes Basic Auth Credentials via API","summary":"FlowiseAI's checkBasicAuth endpoint (a feature that checks login credentials) has a security flaw where it accepts plaintext passwords without rate limiting (restrictions on how many login attempts are allowed), making it vulnerable to brute-force attacks (where attackers try many password combinations rapidly). The endpoint also reveals whether a username exists by returning different success and failure messages, and uses direct string comparison instead of constant-time comparison (a timing-attack-resistant method that takes the same time regardless of where strings differ).","solution":"The source text provides recommendations but does not describe an implemented fix or version update. The recommendations listed are: 1) Implement rate limiting on this endpoint, 2) Use constant-time comparison to prevent timing attacks, 3) Consider using hashed comparison, 4) Return generic error messages, 5) Add logging for failed attempts. No specific patch version or deployed mitigation is mentioned in the source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-php6-83fg-gw3g","publishedAt":"2026-05-14T14:54:46.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["flowise@<= 3.1.1 (fixed: 3.1.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["FlowiseAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-05-14T14:54:46.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}