AI & LLM Vulnerabilities

FlowiseAI has a mass assignment vulnerability (a security flaw where an attacker can modify database fields they shouldn't be able to) in its CustomTemplate feature that allows authenticated users to move templates between workspaces by including a `workspaceId` field in their request. This breaks workspace isolation (the separation that prevents users from accessing data outside their assigned workspace), allowing an attacker to take over templates from other workspaces, since the code uses `Object.assign()` to copy user input directly into database records without filtering which fields are allowed.

FlowiseAI has a mass-assignment vulnerability (a bug where user input is copied directly into database objects without filtering) in its Assistant service that allows authenticated attackers to change the `workspaceId` field of an assistant they own, moving it to another workspace and gaining unauthorized access. This breaks workspace isolation (the security boundary that keeps data from different organizations separate) and exposes sensitive information like LLM configuration and credentials to unintended users.

FlowiseAI's OpenAI Assistants Vector Store endpoints lack permission checks, allowing any authenticated user to create, modify, delete, or upload files to vector stores regardless of their assigned role. This missing authorization (CWE-306, a security weakness where critical functions don't verify user permissions) has a severity score of about 8.1, meaning attackers with basic access could steal or destroy data.

n8n, a workflow automation tool, had a security flaw where OAuth credential reconnect endpoints checked for read-only access instead of update access. This meant an authenticated user with limited permissions could hijack shared credentials by reconnecting them to their own external account, allowing them to intercept data or take over workflows that other users depend on.

n8n (a workflow automation platform) has a SQL injection vulnerability (a type of attack where malicious code is inserted into database queries) in its Source Control Pull feature. An attacker with write access to a connected git repository could commit a malicious file that, when pulled by an administrator, executes harmful SQL commands on n8n's internal PostgreSQL database (the system that stores data).

FlowiseAI has a vulnerability where encrypted credential data (like API keys and passwords) is accidentally exposed when users request credentials using a filter parameter. The code correctly hides this sensitive data when no filter is used, but fails to remove it when filtering by credential name, allowing authenticated users to steal encrypted credentials if they also access the encryption key file stored on the system.

FlowiseAI has a mass assignment vulnerability (a flaw where a server accepts fields it shouldn't let users modify) in its assistant update endpoint that lets authenticated users change server-controlled properties like workspaceId, createdDate, and updatedDate. Because the server lacks proper validation and authorization checks, an attacker can reassign assistants to different workspaces, potentially breaking the isolation between separate workspaces in multi-tenant environments (systems serving multiple independent organizations).

Flowise, a tool for building AI applications, has a security vulnerability in its MCP feature (model context protocol, which lets AI tools run system commands) that allows attackers to bypass command restrictions and execute arbitrary code. The vulnerability has three bypass methods: the 'docker build' command isn't blocked (allowing remote code execution through malicious Dockerfiles), the 'npx --yes' long parameter isn't blocked (allowing installation of malicious packages), and a third unspecified method. Any Flowise user can exploit this if the system has docker or npx installed.

FlowiseAI's checkBasicAuth endpoint (a feature that checks login credentials) has a security flaw where it accepts plaintext passwords without rate limiting (restrictions on how many login attempts are allowed), making it vulnerable to brute-force attacks (where attackers try many password combinations rapidly). The endpoint also reveals whether a username exists by returning different success and failure messages, and uses direct string comparison instead of constant-time comparison (a timing-attack-resistant method that takes the same time regardless of where strings differ).

FlowiseAI has a mass assignment vulnerability (a flaw where an attacker can modify server-controlled fields by including them in their input) in its chatflow update endpoint that allows authenticated users to change protected properties like workspaceId, deployed status, and visibility settings. An attacker can reassign chatflows to other workspaces and modify deployment or visibility settings without authorization because the server doesn't validate which fields should be editable.

FlowiseAI has a mass assignment vulnerability (a security flaw where an attacker can modify fields they shouldn't be able to change) in its tool update endpoint that allows authenticated users to reassign tools to different workspaces by manipulating the workspaceId field in their requests. The server fails to validate which properties users can modify, allowing attackers to change server-controlled fields like workspaceId, createdDate, and updatedDate, which breaks tenant isolation (the security boundary that keeps different users' data separate) in multi-workspace environments.

FlowiseAI has a mass assignment vulnerability (a flaw where an application accepts unintended user input to modify server-controlled data) in its variable update endpoint that lets authenticated users change internal fields like workspaceId, createdDate, and updatedDate. Because the server doesn't properly validate or check permissions, attackers can reassign variables to different workspaces, potentially breaking tenant isolation (the separation that keeps different organizations' data separate in shared systems).

SQLBot is a Text-to-SQL system (software that converts natural language questions into database queries) that uses large language models and RAG (retrieval-augmented generation, where the AI pulls in external documents to answer questions). Before version 1.8.0, it had an IDOR vulnerability (insecure direct object reference, where an attacker can access resources belonging to other users by manipulating request parameters), allowing attackers to access and modify database schemas and data from other workspaces or organizations.

GitHub Copilot CLI (an AI tool that helps developers write code from the command line) has a security vulnerability in versions before 1.0.43 where a malicious bare git repository (a special type of git storage folder with no working files) hidden in a project can trick the tool into running harmful commands. An attacker can exploit git's automatic discovery of these repositories and use configuration keys like core.fsmonitor (settings that tell git what commands to run during normal operations) to execute arbitrary code without the user knowing.