PatchSiren cyber security CVE debrief
CVE-2026-46443 FlowiseAI CVE debrief
CVE-2026-46443 is a high-severity vulnerability in Flowise, a drag & drop user interface for building customized large language model flows. The issue allows an attacker to access encrypted data when credentials are fetched with a credentialName filter parameter. This vulnerability has been patched in version 3.1.2.
- Vendor
- FlowiseAI
- Product
- Flowise
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-11
Who should care
Users of Flowise, especially those handling sensitive data, should be aware of this vulnerability and take immediate action to patch their installations.
Technical summary
In Flowise versions prior to 3.1.2, when fetching credentials with a credentialName filter parameter, the encryptedData field is not properly stripped from the response. This can lead to unintended exposure of sensitive information.
Defensive priority
High
Recommended defensive actions
- Upgrade Flowise to version 3.1.2 or later.
- Review and adjust credential handling and filtering in your Flowise installation.
Evidence notes
This vulnerability was patched in version 3.1.2. For more information, see [ref-4](https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2) and [ref-5](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7g73-99r4-m4mj).
Official resources
-
CVE-2026-46443 CVE record
CVE.org
-
CVE-2026-46443 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE-2026-46443 was published on 2026-06-08T16:16:41.493Z and modified on 2026-06-11T04:08:36.827Z.