GHSA-6f7g-v4pp-r667: Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
highvulnerability
security
Source: GitHub Advisory DatabaseApril 16, 2026
Summary
Flowise has a security flaw where unauthenticated users can obtain OAuth 2.0 access tokens (credentials that grant access to third-party services like Gmail) from public chatflows. An attacker can first retrieve internal workflow data including credential identifiers from a public endpoint, then use those identifiers to refresh OAuth tokens without any authentication checks, potentially gaining unauthorized access to connected services.
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
LangChain
Affected Packages
flowise@<= 3.0.13 (fixed: 3.1.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-6f7g-v4pp-r667
First tracked: April 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%