CVE-2025-59434: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Host
Summary
Flowise is a tool with a visual interface for building customized AI workflows. Before August 2025, free-tier users on Flowise Cloud could access sensitive secrets (like API keys for OpenAI, AWS, and Google Cloud) belonging to other users through a Custom JavaScript Function node, exposing data across different user accounts. This cross-tenant data exposure vulnerability has been patched in the August 2025 update.
Solution / Mitigation
Update to the August 2025 Cloud-Hosted Flowise version or later, which includes the patch for this vulnerability.
Vulnerability Details
9.6(critical)
EPSS: 0.1%
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-59434
First tracked: February 15, 2026 at 08:49 PM
Classified by LLM (prompt v3) · confidence: 95%