Auth bypass in Flowiseai Flowise

CVE-2026-41279

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId dire…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (31.1th percentile) — read the EPSS interpretation.

Affected products

Flowiseai Flowise — versions < 3.1.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947 (x_refsource_CONFIRM)