GHSA-6f7g-v4pp-r667: Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
Summary
Flowise has a security flaw where unauthenticated users can obtain OAuth 2.0 access tokens (credentials that grant access to third-party services like Gmail) from public chatflows. An attacker can first retrieve internal workflow data including credential identifiers from a public endpoint, then use those identifiers to refresh OAuth tokens without any authentication checks, potentially gaining unauthorized access to connected services.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-63086: text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compat
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
Original source: https://github.com/advisories/GHSA-6f7g-v4pp-r667
First tracked: April 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%