Information Disclosure Vulnerability in Flowise API Endpoint
CVE-2026-56268

5.3MEDIUM

Key Information:

Vendor: Flowise
Status: Flowise
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-56268?

Flowise, prior to version 3.1.2, is susceptible to an information disclosure vulnerability in its API endpoint /api/v1/chatflows/apikey/:apikey. When the keyonly query parameter is not included, the endpoint fails to filter results by workspace, inadvertently exposing all chatflows that lack an API key. Consequently, a malicious actor with a legitimate API key from one workspace can gain access to sensitive configurations from all unprotected chatflows across different workspaces, including the flowData, chatbot configurations, and API credentials. This vulnerability underscores the necessity for stricter access controls and proper filtering mechanisms.

Affected Version(s)

Flowise 0 < 3.1.2

Flowise 3.1.2

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/flowise-cross-worksp...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

offset

CVE-2026-56268 Data

JSON