PatchSiren cyber security CVE debrief
CVE-2026-46440 FlowiseAI CVE debrief
A critical vulnerability, CVE-2026-46440, was found in Flowise, a drag & drop user interface to build a customized large language model flow. The vulnerability has a CVSS score of 9.1 and was patched in version 3.1.2. The issue involves the checkBasicAuth endpoint validating credentials in plaintext without rate limiting and with direct comparison.
- Vendor
- FlowiseAI
- Product
- Flowise
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-11
Who should care
Users of Flowise prior to version 3.1.2 should update to the latest version to mitigate this critical vulnerability.
Technical summary
The checkBasicAuth endpoint in Flowise validates credentials in plaintext without rate limiting and with direct comparison, allowing for potential authentication bypass. This issue has been patched in version 3.1.2.
Defensive priority
high
Recommended defensive actions
- Update Flowise to version 3.1.2 or later.
Evidence notes
CVE-2026-46440 was published on 2026-06-08T16:16:41.043Z and modified on 2026-06-11T04:06:33.593Z.
Official resources
-
CVE-2026-46440 CVE record
CVE.org
-
CVE-2026-46440 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
CVE-2026-46440 was patched in version 3.1.2.