CVE-2026-41279 Overview
CVE-2026-41279 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in Flowise, a drag and drop user interface for building customized large language model flows. Prior to version 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted without authentication and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt stored credentials (such as OpenAI or ElevenLabs API keys) and generate speech, allowing unauthenticated attackers to abuse stored API credentials.
Critical Impact
Unauthenticated attackers can leverage stored API credentials to generate text-to-speech content, potentially leading to unauthorized API usage, financial charges, and abuse of third-party services.
Affected Products
- Flowise versions prior to 3.1.0
Discovery Timeline
- 2026-04-23 - CVE-2026-41279 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41279
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, commonly known as an Insecure Direct Object Reference (IDOR). The root issue lies in the authentication whitelist configuration for the text-to-speech endpoint, which allows any unauthenticated user to access the API endpoint and supply arbitrary credential identifiers.
When an attacker submits a request to the /api/v1/text-to-speech/generate endpoint without a valid chatflowId but with a valid credentialId, the application fails to verify whether the requester is authorized to use those credentials. The endpoint then proceeds to decrypt the stored credential and use it for text-to-speech generation. This allows attackers who can enumerate or guess valid credential IDs to leverage the victim's API keys without authorization.
Root Cause
The root cause of this vulnerability stems from improper access control in the Flowise API architecture. The text-to-speech endpoint was incorrectly added to an authentication whitelist, bypassing the normal authorization checks. Additionally, the endpoint logic fails to enforce that a chatflowId must be provided or that the requesting user has ownership of the referenced credentialId. This combination of missing authentication and missing authorization creates a direct path for credential abuse.
Attack Vector
The attack is conducted over the network and requires no authentication or user interaction. An attacker can craft a POST request to the vulnerable endpoint, supplying a credentialId parameter in the request body. If the attacker can enumerate valid credential identifiers (through brute force, information disclosure, or predictable ID patterns), they can abuse any stored API credentials for text-to-speech generation.
The attack flow consists of:
- Identifying or enumerating valid credentialId values
- Sending a POST request to /api/v1/text-to-speech/generate with the target credentialId
- The server decrypts the stored credential and uses it to generate speech
- The attacker can repeatedly abuse the API key, potentially incurring charges or exhausting rate limits
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-41279
Indicators of Compromise
- Unexpected or elevated API usage on connected services (OpenAI, ElevenLabs, etc.)
- Access logs showing requests to /api/v1/text-to-speech/generate from unknown or unauthorized IP addresses
- Requests to the text-to-speech endpoint without accompanying chatflowId parameters
- Unusual billing charges from third-party API providers
Detection Strategies
- Monitor access logs for unauthenticated requests to the /api/v1/text-to-speech/generate endpoint
- Implement anomaly detection for credential usage patterns to identify unauthorized API key access
- Configure alerting for requests to the text-to-speech endpoint that lack a valid chatflowId
Monitoring Recommendations
- Enable detailed request logging for all Flowise API endpoints
- Set up real-time monitoring and alerting for third-party API usage (OpenAI, ElevenLabs) to detect unusual activity
- Review and audit the authentication whitelist configuration to ensure only intended endpoints are publicly accessible
How to Mitigate CVE-2026-41279
Immediate Actions Required
- Upgrade Flowise to version 3.1.0 or later immediately
- Audit access logs for any suspicious requests to the text-to-speech endpoint prior to upgrading
- Rotate any API credentials (OpenAI, ElevenLabs, etc.) that may have been exposed
- Review third-party API billing statements for unauthorized usage
Patch Information
This vulnerability is fixed in Flowise version 3.1.0. The patch removes the text-to-speech endpoint from the authentication whitelist and implements proper authorization checks to ensure that credentials can only be accessed by authorized users with valid session context.
For more details, see the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, restrict network access to the Flowise instance using firewall rules or a reverse proxy
- Implement Web Application Firewall (WAF) rules to block unauthenticated requests to the /api/v1/text-to-speech/generate endpoint
- Temporarily disable the text-to-speech functionality by removing or invalidating stored credentials until the patch can be applied
# Example: Block access to vulnerable endpoint using nginx
location /api/v1/text-to-speech/generate {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
