Headline
GHSA-v5w9-prxf-w882: Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
Summary
An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authentication.
Details
Critical vulnerability in Flowise 3.0.1 on-premise deployment allows unauthenticated attackers to exploit the /api/v1/account/register endpoint to add a new user and log in using it, enabling authentication bypass.
Meaning that the register functionality is by default open, allowing attackers to create an account and use the api without any restrictions or credentials.
PoC
A Flowise 3.0.1 instance was deployed via Docker for the purpose of this demonstration.
After successful deployment the instance setup organization page allows us to register the first account in the system.
Creating the first user research@evasec.io
Login to the account
The background request that created the first user to /api/v1/account/register
Response
We have found that it is possible to reuse the registration request multiple times without any restrictions to create an account and authenticate to the system using it.
Crafting a new request
{
"user": {
"name": "Malicious",
"email": "attacker@attack.io",
"type": "pro",
"credential": “Password123!”
}
}
Response with 201 code “Created”
Login using newly created user (attacker)
Success login
An unauthorized user can exploit this vulnerability to register an account and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication.
Impact
This is an authentication bypass vulnerability caused by an unprotected registration endpoint (/register).
Users of Flowise 3.0.1(latest) on-premise deployments are impacted. An unauthorized attacker can exploit this vulnerability to register an account after the organization set has been completed, and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication.
Summary
An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authentication.
Details
Critical vulnerability in Flowise 3.0.1 on-premise deployment allows unauthenticated attackers to exploit the /api/v1/account/register endpoint to add a new user and log in using it, enabling authentication bypass.
Meaning that the register functionality is by default open, allowing attackers to create an account and use the api without any restrictions or credentials.
PoC
A Flowise 3.0.1 instance was deployed via Docker for the purpose of this demonstration.
After successful deployment the instance setup organization page allows us to register the first account in the system.
Creating the first user research@evasec.io
Login to the account
The background request that created the first user to /api/v1/account/register
Response
We have found that it is possible to reuse the registration request multiple times without any restrictions to create an account and authenticate to the system using it.
Crafting a new request
{
"user": {
"name": "Malicious",
"email": "attacker@attack.io",
"type": "pro",
"credential": “Password123!”
}
}
Response with 201 code “Created”
Login using newly created user (attacker)
Success login
An unauthorized user can exploit this vulnerability to register an account and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication.
Impact
This is an authentication bypass vulnerability caused by an unprotected registration endpoint (/register).
Users of Flowise 3.0.1(latest) on-premise deployments are impacted. An unauthorized attacker can exploit this vulnerability to register an account after the organization set has been completed, and gain access to the Flowise API with authenticated privileges, effectively bypassing authentication.
References
- GHSA-v5w9-prxf-w882