PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46444 FlowiseAI CVE debrief

A vulnerability was discovered in Flowise, a drag & drop user interface for building customized large language model flows. The issue, tracked as CVE-2026-46444, affects versions prior to 3.1.2 and has a CVSS score of 8.7, indicating a high severity. The vulnerability arises from the lack of authentication middleware for all CRUD endpoints of OpenAI Assistants Vector Store, specifically the /api/v1/openai-assistants-vector-store route. Although this route requires API key authentication, it does not perform any permission checks for operations, making it vulnerable to unauthorized access.

Vendor
FlowiseAI
Product
Flowise
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-11
Advisory published
2026-06-08
Advisory updated
2026-06-11

Who should care

Users of Flowise versions prior to 3.1.2 should be aware of this vulnerability and take necessary actions to secure their installations.

Technical summary

The vulnerability exists due to the absence of authentication middleware for CRUD endpoints of OpenAI Assistants Vector Store in Flowise versions before 3.1.2. The affected route, /api/v1/openai-assistants-vector-store, requires API key authentication but lacks permission checks, allowing for unauthorized operations.

Defensive priority

High

Recommended defensive actions

  • Update Flowise to version 3.1.2 or later to patch the vulnerability.
  • Review and implement proper authentication and permission checks for API key authenticated routes.

Evidence notes

The CVE-2026-46444 details were obtained from the official CVE record and NVD database.

Official resources

CVE-2026-46444 was published on 2026-06-08T16:16:41.660Z and modified on 2026-06-11T04:08:59.193Z.