GHSA-php6-83fg-gw3g: FlowiseAI Exposes Basic Auth Credentials via API
Summary
FlowiseAI's checkBasicAuth endpoint (a feature that checks login credentials) has a security flaw where it accepts plaintext passwords without rate limiting (restrictions on how many login attempts are allowed), making it vulnerable to brute-force attacks (where attackers try many password combinations rapidly). The endpoint also reveals whether a username exists by returning different success and failure messages, and uses direct string comparison instead of constant-time comparison (a timing-attack-resistant method that takes the same time regardless of where strings differ).
Solution / Mitigation
The source text provides recommendations but does not describe an implemented fix or version update. The recommendations listed are: 1) Implement rate limiting on this endpoint, 2) Use constant-time comparison to prevent timing attacks, 3) Consider using hashed comparison, 4) Return generic error messages, 5) Add logging for failed attempts. No specific patch version or deployed mitigation is mentioned in the source.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-php6-83fg-gw3g
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%