CVE-2026-8028: FlowiseAI Information Disclosure Flaw

CVE-2026-8028 Overview

CVE-2026-8028 is an information disclosure vulnerability in FlowiseAI Flowise versions up to and including 3.0.12. The flaw resides in the verify function within packages/server/src/enterprise/services/account.service.ts, exposed through an Endpoint component. Remote attackers can manipulate the affected function to disclose information without authentication or user interaction. The weakness is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor). A public exploit is available, though the disclosure indicates that successful exploitation requires high attack complexity. FlowiseAI recommends upgrading the affected component to remediate the issue.

Critical Impact

Remote, unauthenticated attackers can trigger the verify function in Flowise's account service to disclose sensitive account information, with public proof-of-concept code already available.

Affected Products

• FlowiseAI Flowise versions up to 3.0.12
• Component: Endpoint exposing account.service.tsverify function
• Enterprise account service module (packages/server/src/enterprise/services/account.service.ts)

Discovery Timeline

• 2026-05-06 - CVE-2026-8028 published to NVD
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-8028

Vulnerability Analysis

The vulnerability exists in the verify function of packages/server/src/enterprise/services/account.service.ts, which is part of Flowise's enterprise account service. Manipulation of input handled by this function results in unintended disclosure of sensitive data through the affected Endpoint. Flowise is a low-code platform for building large language model (LLM) applications, so the account service handles authentication-related state for enterprise deployments.

The issue is categorized as [CWE-200], indicating that the function returns or exposes information to actors not authorized to receive it. Remote network access is the only prerequisite, and no privileges or user interaction are required. The advisory notes high attack complexity, which suggests that exploitation depends on specific request shapes or timing rather than a trivial direct call.

Root Cause

The root cause is improper handling within the verify routine that allows an external caller to obtain account-related information that should remain internal. The function does not adequately constrain what data is returned in response paths reachable by unauthenticated requests. Because the logic lives in the enterprise account service, the disclosed data may relate to verification tokens, account state, or identifiers used during user verification flows.

Attack Vector

Exploitation occurs over the network against the Flowise Endpoint that exposes the verify function. An attacker crafts requests to the verification endpoint and parses responses or side effects to extract information. A public proof-of-concept is published as a GitHub gist, lowering the barrier despite the high-complexity rating. See the GitHub PoC Repository and VulDB #361276 for technical references.

No verified code examples are available for inclusion. Refer to the linked PoC and VulDB entries for request structure and response analysis details.

Detection Methods for CVE-2026-8028

Indicators of Compromise

• Unusual volume of requests to Flowise enterprise verification endpoints from a single source IP or autonomous system
• Requests to the account verify route with malformed, brute-forced, or enumerated parameter values
• Application logs showing repeated verify invocations returning non-error responses to unauthenticated callers

Detection Strategies

• Inspect Flowise application and reverse proxy logs for repeated calls to the account verification path tied to the enterprise service
• Alert on anomalous response size or content variance from the verify endpoint, which may indicate information leakage
• Correlate verification endpoint traffic with successful account takeover or credential reuse attempts downstream

Monitoring Recommendations

• Forward Flowise server logs and ingress logs to a centralized logging or SIEM platform for retention and search
• Baseline normal traffic patterns to /enterprise/ routes and trigger detections on deviations
• Monitor for outbound traffic from Flowise hosts to the published PoC gist or known scanning infrastructure

How to Mitigate CVE-2026-8028

Immediate Actions Required

• Upgrade FlowiseAI Flowise beyond version 3.0.12 once a fixed release is published by the vendor
• Restrict network exposure of Flowise enterprise endpoints to trusted networks or behind authenticated reverse proxies
• Review access logs for the verify endpoint to identify prior probing or exploitation attempts

Patch Information

The advisory recommends upgrading the affected component. Consult the VulDB entry for CVE-2026-8028 and the FlowiseAI release channel for the specific fixed version. No vendor advisory URL is included in the enriched data at the time of publication.

Workarounds

• Place Flowise behind an authenticating reverse proxy or VPN if the enterprise verification endpoint must remain reachable
• Apply rate limiting and IP allowlisting on the verify route to slow enumeration and probing
• Disable the enterprise account service if it is not required for your deployment

# Example nginx rate limit and allowlist for the Flowise verify endpoint
limit_req_zone $binary_remote_addr zone=flowise_verify:10m rate=5r/m;

location /api/v1/account/verify {
    allow 10.0.0.0/8;
    deny all;
    limit_req zone=flowise_verify burst=5 nodelay;
    proxy_pass http://flowise_backend;
}