Soumettre #777657: FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)information

TitreFlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)
Description# Technical Details A Missing Authorization (IDOR) vulnerability exists in the `read()` methods of `user.controller.ts`, `organization-user.controller.ts`, and `workspace-user.controller.ts` in FlowiseAI Flowise. The application implements role-based access control for mutating operations (POST, PUT, DELETE) using `checkPermission()` middleware, but the corresponding GET (read) routes for user management are registered without any permission middleware. The controllers accept arbitrary user-controlled query parameters (userId, organizationId, workspaceId, email) and pass them directly to database queries without ownership verification. # Vulnerable Code File: packages/server/src/routes/user.route.ts (line 7), organization-user.route.ts (line 9), workspace-user.route.ts (line 10) Method: read() in user.controller.ts, organization-user.controller.ts, workspace-user.controller.ts Why: GET routes are registered without checkPermission() middleware. The read() controllers accept arbitrary query parameters and return results without verifying the requester's relationship to the queried entities. Fix commit 83036b1a1 for PR #5652 initially added checks but then removed them before merging. # Reproduction 1. Deploy Flowise: docker run -d --name flowise-idor -p 3000:3000 flowiseai/flowise:latest 2. Register and authenticate to get JWT cookie. 3. IDOR: GET /api/v1/user?email=<any_email> returns any user's full profile. 4. IDOR: GET /api/v1/organizationuser?userId=<leaked_id> returns organization membership. 5. IDOR: GET /api/v1/workspaceuser?userId=<leaked_id> returns workspace membership. # Impact - Cross-tenant data access: User from Organization A can read profiles/membership of Organization B. - Full organizational reconnaissance from a single low-privilege account. - Leaked IDs enable targeted privilege escalation attacks.
La source⚠️ https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b
Utilisateur
 Eric-a (UID 96353)
Soumission11/03/2026 14:57 (il y a 3 mois)
Modérer06/05/2026 09:40 (2 months later)
StatutAccepté
Entrée VulDB361274 [FlowiseAI Flowise jusqu’à 3.0.12 User Controller userId/organizationId/workspaceId/email élévation de privilèges]
Points20

PrécédentAperçuSuivant

Do you need the next level of professionalism?

Upgrade your account now!