Cyber Resilience

CVE-2026-30820

HighPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30820 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-30820 is a privilege escalation vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. In versions prior to 3.0.13, Flowise trusts any HTTP client that sets the header "x-request-from: internal," enabling the bypass of all authorization checks on /api/v1/** endpoints. Classified as CWE-863 (Incorrect Authorization), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A low-privilege authenticated tenant can exploit this over the network by including the trusted header in requests using only a valid browser session cookie. This grants access to sensitive internal administration endpoints, such as API key management, credential stores, and custom function execution, resulting in effective privilege escalation with high impacts on confidentiality, integrity, and availability.

The issue was patched in Flowise version 3.0.13. Official mitigation details are available in the release notes at https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 and the GitHub security advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq.

As Flowise supports LLM workflow construction, the vulnerability holds relevance for AI/ML deployments handling sensitive credentials or API integrations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/**…

more

authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Auth bypass on admin endpoints directly enables exploitation for privilege escalation (T1068); custom function execution maps to command/scripting (T1059); access to credential stores/API keys maps to unsecured credentials (T1552).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41266Same product: Flowiseai Flowise
CVE-2026-41137Same product: Flowiseai Flowise
CVE-2026-41278Same product: Flowiseai Flowise
CVE-2026-41270Same product: Flowiseai Flowise
CVE-2026-30824Same product: Flowiseai Flowise
CVE-2026-31829Same product: Flowiseai Flowise
CVE-2026-41269Same product: Flowiseai Flowise
CVE-2026-41265Same product: Flowiseai Flowise
CVE-2025-58434Same product: Flowiseai Flowise
CVE-2025-59528Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.0.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations on system resources, directly mitigating the CVE's authorization bypass via the trusted 'x-request-from: internal' header on /api/v1 endpoints.

prevent

AC-6 enforces least privilege, limiting damage from privilege escalation by ensuring low-privilege tenants cannot access admin endpoints even if authorization is partially bypassed.

prevent

SI-10 mandates validation of external inputs like HTTP headers, preventing exploitation by rejecting or sanitizing the untrusted 'x-request-from: internal' header.

References