CVE-2026-30820
Published: 07 March 2026
Summary
CVE-2026-30820 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-30820 is a privilege escalation vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. In versions prior to 3.0.13, Flowise trusts any HTTP client that sets the header "x-request-from: internal," enabling the bypass of all authorization checks on /api/v1/** endpoints. Classified as CWE-863 (Incorrect Authorization), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A low-privilege authenticated tenant can exploit this over the network by including the trusted header in requests using only a valid browser session cookie. This grants access to sensitive internal administration endpoints, such as API key management, credential stores, and custom function execution, resulting in effective privilege escalation with high impacts on confidentiality, integrity, and availability.
The issue was patched in Flowise version 3.0.13. Official mitigation details are available in the release notes at https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 and the GitHub security advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq.
As Flowise supports LLM workflow construction, the vulnerability holds relevance for AI/ML deployments handling sensitive credentials or API integrations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10107
Vulnerability details
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/**…
more
authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: flowise, large language model
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass on admin endpoints directly enables exploitation for privilege escalation (T1068); custom function execution maps to command/scripting (T1059); access to credential stores/API keys maps to unsecured credentials (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations on system resources, directly mitigating the CVE's authorization bypass via the trusted 'x-request-from: internal' header on /api/v1 endpoints.
AC-6 enforces least privilege, limiting damage from privilege escalation by ensuring low-privilege tenants cannot access admin endpoints even if authorization is partially bypassed.
SI-10 mandates validation of external inputs like HTTP headers, preventing exploitation by rejecting or sanitizing the untrusted 'x-request-from: internal' header.