CVE-2026-46440
Published: 08 June 2026
Summary
CVE-2026-46440 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35107
Vulnerability details
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in…
more
version 3.1.2.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: flowise, large language model
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
No rate limiting on auth endpoint directly enables brute force/credential stuffing; plaintext credential validation enables network sniffing to capture credentials.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Training instructs users on protecting credentials from disclosure or unauthorized access.
Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.
Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.
Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.
Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.
Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.