GHSA-wvhq-wp8g-c7vq: Flowise has Authorization Bypass via Spoofed x-request-from Header
Summary
Flowise has a critical authorization bypass flaw in its `/api/v1` routes where the middleware trusts any request with the header `x-request-from: internal`, even though this header can be spoofed by any user. This allows a low-privilege authenticated tenant (someone with a valid browser cookie) to call internal administration endpoints, like API key creation and credential management, without proper permission checks, effectively escalating their privileges.
Vulnerability Details
EPSS: 0.1%
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-wvhq-wp8g-c7vq
First tracked: March 6, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 95%