GHSA-wvhq-wp8g-c7vq: Flowise has Authorization Bypass via Spoofed x-request-from Header
Summary
Flowise has a critical authorization bypass flaw in its `/api/v1` routes where the middleware trusts any request with the header `x-request-from: internal`, even though this header can be spoofed by any user. This allows a low-privilege authenticated tenant (someone with a valid browser cookie) to call internal administration endpoints, like API key creation and credential management, without proper permission checks, effectively escalating their privileges.
Vulnerability Details
EPSS: 0.1%
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://github.com/advisories/GHSA-wvhq-wp8g-c7vq
First tracked: March 6, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 95%