CVE-2026-56268 Flowise CVE debrief

Who should care

Organizations using Flowise before version 3.1.2 should be aware of this vulnerability. Specifically, administrators and security teams responsible for Flowise installations should assess their exposure and take necessary actions to mitigate the risk. This vulnerability could potentially allow attackers to gain unauthorized access to sensitive information across different workspaces.

Technical summary

The vulnerability is caused by the lack of a workspace filter in the query used by the /api/v1/chatflows/apikey/:apikey endpoint. When an API key is provided without the keyonly query parameter, the endpoint returns all chatflows, including those not bound to the supplied API key. This allows for unintended information disclosure across workspaces. The CVSS score for this vulnerability is 5.3, indicating a medium severity level.

Defensive priority

Given the medium severity of this vulnerability (CVSS score of 5.3) and its potential impact on data confidentiality, defenders should prioritize patching or mitigating this issue. Upgrading Flowise to version 3.1.2 or later is recommended to fix this vulnerability.

Recommended defensive actions

• Upgrade Flowise to version 3.1.2 or later to fix the vulnerability.
• Implement additional monitoring to detect and respond to potential exploitation attempts.
• Review and restrict API key access and permissions to minimize exposure.
• Consider implementing compensating controls, such as IP restrictions or additional authentication mechanisms, for the affected endpoint.
• Conduct a thorough inventory of Flowise installations and configurations to identify potential vulnerabilities.

Evidence notes

The information provided is based on the CVE-2026-56268 record and related sources. The vulnerability was published on June 22, 2026, and last modified on June 25, 2026. The CVSS score is 5.3, with a medium severity level. The vulnerability affects Flowise versions prior to 3.1.2.

Official resources