提交 #777657: FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)信息

标题	FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)
描述	# Technical Details A Missing Authorization (IDOR) vulnerability exists in the `read()` methods of `user.controller.ts`, `organization-user.controller.ts`, and `workspace-user.controller.ts` in FlowiseAI Flowise. The application implements role-based access control for mutating operations (POST, PUT, DELETE) using `checkPermission()` middleware, but the corresponding GET (read) routes for user management are registered without any permission middleware. The controllers accept arbitrary user-controlled query parameters (userId, organizationId, workspaceId, email) and pass them directly to database queries without ownership verification. # Vulnerable Code File: packages/server/src/routes/user.route.ts (line 7), organization-user.route.ts (line 9), workspace-user.route.ts (line 10) Method: read() in user.controller.ts, organization-user.controller.ts, workspace-user.controller.ts Why: GET routes are registered without checkPermission() middleware. The read() controllers accept arbitrary query parameters and return results without verifying the requester's relationship to the queried entities. Fix commit 83036b1a1 for PR #5652 initially added checks but then removed them before merging. # Reproduction 1. Deploy Flowise: docker run -d --name flowise-idor -p 3000:3000 flowiseai/flowise:latest 2. Register and authenticate to get JWT cookie. 3. IDOR: GET /api/v1/user?email=<any_email> returns any user's full profile. 4. IDOR: GET /api/v1/organizationuser?userId=<leaked_id> returns organization membership. 5. IDOR: GET /api/v1/workspaceuser?userId=<leaked_id> returns workspace membership. # Impact - Cross-tenant data access: User from Organization A can read profiles/membership of Organization B. - Full organizational reconnaissance from a single low-privilege account. - Leaked IDs enable targeted privilege escalation attacks.
来源	⚠️ https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b
用户	Eric-a (UID 96353)
提交	2026-03-11 14時57分 (3 月前)
管理	2026-05-06 09時40分 (2 months later)
状态	已接受
VulDB条目	361274 [FlowiseAI Flowise 直到 3.0.12 User Controller userId/organizationId/workspaceId/email 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!