GHSA-cwc3-p92j-g7qm: Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
highvulnerability
security
Summary
Flowise has a critical IDOR (insecure direct object reference, a flaw where an app trusts user input to identify which data to access without checking permissions) vulnerability in its login configuration endpoint. An attacker with a free account can modify any organization's single sign-on settings by simply specifying a different organization ID, enabling account takeover by redirecting logins to attacker-controlled credentials and bypassing enterprise license restrictions.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
LangChain
Affected Packages
flowise@<= 3.0.12 (fixed: 3.0.13)
Related Issues
Original source: https://github.com/advisories/GHSA-cwc3-p92j-g7qm
First tracked: March 6, 2026 at 07:00 PM
Classified by LLM (prompt v3) · confidence: 85%