Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8af2ed4e7cd6 · 2026-04-16T21:21:19.000Z
GHSA-6pcv-j4jx-m4vx GHSA-c9gw-hvqq-f33r GHSA-gj9q-8w99-mp8j
diff --git a/advisories/github-reviewed/2026/04/GHSA-6pcv-j4jx-m4vx/GHSA-6pcv-j4jx-m4vx.json b/advisories/github-reviewed/2026/04/GHSA-6pcv-j4jx-m4vx/GHSA-6pcv-j4jx-m4vx.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6pcv-j4jx-m4vx",
+  "modified": "2026-04-16T21:20:05Z",
+  "published": "2026-04-16T21:20:05Z",
+  "aliases": [],
+  "summary": "Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request",
+  "details": "### Summary\nI have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth credentials (Client Secrets) in cleartext.\n\n\n### PoC\nThe following request can be sent by anyone on the internet without any cookies or authorization headers.\n\nRequest\n```http\nGET /api/v1/loginmethod?organizationId=<any_organization_id> HTTP/2\nHost: cloud.flowiseai.com\nAccept: application/json\nContent-Type: application/json\n```\n\nResponse: The server returns 200 OK with sensitive credentials:\n```json\n{\n  \"providers\": [\n    {\n      \"id\": \"a04ba769-b810-481d-8d6b-84f8c377dea5\",\n      \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n      \"name\": \"azure\",\n      \"config\": {\n        \"tenantID\": \"\",\n        \"clientID\": \"\",\n        \"clientSecret\": \"\"\n      },\n      \"status\": \"disable\",\n      \"createdDate\": \"2025-12-26T18:52:33.453Z\",\n      \"updatedDate\": \"2025-12-26T19:31:56.087Z\",\n      \"createdBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\",\n      \"updatedBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\"\n    },\n    {\n      \"id\": \"eda8bd90-1c45-4aca-933f-3a53d9be4161\",\n      \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n      \"name\": \"google\",\n      \"config\": {\n        \"clientID\": \"123455\",\n        \"clientSecret\": \"123455\"\n      },\n      \"status\": \"enable\",\n      \"createdDate\": \"2025-12-26T18:52:33.453Z\",\n      \"updatedDate\": \"2025-12-26T19:31:56.087Z\",\n      \"createdBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\",\n      \"updatedBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\"\n    },\n    {\n      \"id\": \"0d238df0-c89c-4733-bf57-6ec06f58c7e7\",\n      \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n      \"name\": \"auth0\",\n      \"config\": {\n        \"domain\": \"\",\n        \"clientID\": \"\",\n        \"clientSecret\": \"\"\n      },\n      \"status\": \"disable\",\n      \"createdDate\": \"2025-12-26T18:52:33.453Z\",\n      \"updatedDate\": \"2025-12-26T19:31:56.087Z\",\n      \"createdBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\",\n      \"updatedBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\"\n    },\n    {\n      \"id\": \"e060ae88-c7f4-4b7c-9bdc-5321963a1648\",\n      \"organizationId\": \"bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d\",\n      \"name\": \"github\",\n      \"config\": {\n        \"clientID\": \"\",\n        \"clientSecret\": \"\"\n      },\n      \"status\": \"disable\",\n      \"createdDate\": \"2025-12-26T18:52:33.453Z\",\n      \"updatedDate\": \"2025-12-26T19:31:56.087Z\",\n      \"createdBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\",\n      \"updatedBy\": \"6ab311fa-0d0a-4bd6-996e-4ae721377fb2\"\n    }\n  ],\n  \"callbacks\": [\n    {\n      \"providerName\": \"azure\",\n      \"callbackURL\": \"https://cloud.flowiseai.com/api/v1/azure/callback\"\n    },\n    {\n      \"providerName\": \"google\",\n      \"callbackURL\": \"https://cloud.flowiseai.com/api/v1/google/callback\"\n    },\n    {\n      \"providerName\": \"auth0\",\n      \"callbackURL\": \"https://cloud.flowiseai.com/api/v1/auth0/callback\"\n    },\n    {\n      \"providerName\": \"github\",\n      \"callbackURL\": \"https://cloud.flowiseai.com/api/v1/github/callback\"\n    }\n  ]\n}\n```\n### Affected Deployments\n- FlowiseAI Cloud (cloud.flowiseai.com)\n- Self-hosted FlowiseAI instances where the /api/v1/loginmethod endpoint is exposed\n\n### Impact\nAn unauthenticated attacker can harvest sensitive API secrets (Google, Microsoft, GitHub Client Secrets) from any organization on the cloud platform. This leads to complete compromise of the organization's third-party integrations and potential data breaches.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flowise"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.13"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6pcv-j4jx-m4vx"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/FlowiseAI/Flowise"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306",
+      "CWE-312"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:20:05Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-c9gw-hvqq-f33r/GHSA-c9gw-hvqq-f33r.json b/advisories/github-reviewed/2026/04/GHSA-c9gw-hvqq-f33r/GHSA-c9gw-hvqq-f33r.json
@@ -0,0 +1,90 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c9gw-hvqq-f33r",
+  "modified": "2026-04-16T21:18:17Z",
+  "published": "2026-04-16T21:18:17Z",
+  "aliases": [
+    "CVE-2026-40933"
+  ],
+  "summary": "Flowise: Authenticated RCE Via MCP Adapters",
+  "details": "### Summary\nDue to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution.\n\n### Details\nThe vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example \"npx\" can be combined with code execution arguments (\"-c touch /tmp/pwn\") that enable direct code execution on the underlying OS.\n\nhttps://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L223\n\nhttps://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L177\n\nhttps://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L269\n\n\n### PoC\nCreate a new Custom MCP and add an \"npx -c\" command.\n```\n{\n    \"command\": \"npx\",\n    \"args\": [\n        \"-c\",\n        \"touch /tmp/pwn\"\n    ]\n}\n```\n<img width=\"358\" height=\"628\" alt=\"Screenshot 2026-01-12 at 18 32 37\" src=\"https://github.com/user-attachments/assets/d95c1ae2-23a7-4afe-b586-722003baf50e\" />\n\n### Impact\nThis is an authenticated arbitrary command execution due to unsanitized input, even though the input is sanitized, more protections should be added in order to close ways for attackers to execute arbitrary commands.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flowise"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.13"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flowise-components"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.13"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/FlowiseAI/Flowise"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:18:17Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-gj9q-8w99-mp8j/GHSA-gj9q-8w99-mp8j.json b/advisories/github-reviewed/2026/04/GHSA-gj9q-8w99-mp8j/GHSA-gj9q-8w99-mp8j.json
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gj9q-8w99-mp8j",
+  "modified": "2026-04-16T21:19:21Z",
+  "published": "2026-04-16T21:19:21Z",
+  "aliases": [],
+  "summary": "OpenClaw: TOCTOU read in exec script preflight",
+  "details": "## Summary\n\nOpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe impact is limited. This was not arbitrary full-file disclosure through the preflight error path. The validator only surfaced derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line in one branch. Exploitation also required the ability to mutate the relevant workspace path during the preflight window.\n\nStill, this was a real TOCTOU boundary bug in code that is supposed to reason about workspace-local script files before execution. A file identity that passed the initial boundary validation could differ from the identity that was later read for preflight analysis.\n\n## Technical Details\n\nThe vulnerable flow performed separate path validation and file reads in `validateScriptFileForShellBleed`. Because the read was path-based, an attacker with write access to the workspace path could race replacement of the target after validation but before preflight read.\n\n## Fix\n\nPR #62333 replaced the check-then-read flow with a pinned safe-open/read path using the shared `readFileWithinRoot` helper. The fixed path performs boundary verification around the opened file identity and avoids relying on a mutable pathname for the final preflight read. Regression tests cover both pre-open and post-open swap windows.\n\n## Fix Commit(s)\n\n- `b024fae9e5df43e9b69b2daebb72be3469d52e91` (`fix(exec): replace TOCTOU check-then-read with atomic pinned-fd open in script preflight [AI]`)\n- PR: #62333\n\n## Release Process Note\n\nThe fix first shipped in `v2026.4.10`. Users should upgrade to `openclaw` `2026.4.10` or newer; the latest npm release already includes the fix.\n\n## Credits\n\nThanks to @kikayli for reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.4.10"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/62333"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-367"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:19:21Z",
+    "nvd_published_at": null
+  }
+}
