Security Advisory - Published 2026-06-08 - Flowise
Flowise CVE-2026-46440: Basic Auth Self-Check
CVE-2026-46440 affects Flowise versions before 3.1.2. The GitHub advisory describes a Basic Auth endpoint that compared credentials directly and did not apply rate limiting, allowing repeated username and password attempts against exposed Flowise deployments.
Who is affected
- Product: Flowise
- CVE: CVE-2026-46440
- Affected versions: Flowise 3.1.1 and earlier, according to the GitHub advisory
- Fixed version: 3.1.2
- Risk area: Basic Auth credential checking without rate limiting
- Impact: successful brute-force access can expose flows, credentials, integrations, and workspace data
10-minute self-check
Step 1: Find the Flowise instance
docker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Ports}}' | grep -i flowise
docker compose ps | grep -i flowise If Flowise is reachable from the public internet, put it behind VPN, Cloudflare Access, or an IP allowlist before you spend time on deeper cleanup.
Step 2: Check the version
docker exec <container> sh -lc "npm list -g flowise --depth=0 2>/dev/null || node -p \"require('/usr/local/lib/node_modules/flowise/package.json').version\" 2>/dev/null" Upgrade to 3.1.2 or newer if the instance is on 3.1.1 or earlier.
Step 3: Check auth exposure
- Confirm whether
FLOWISE_USERNAMEandFLOWISE_PASSWORDare set. - Check whether the same credentials are reused in other admin tools.
- Review reverse proxy access logs for repeated login attempts.
- Check whether workspace credentials, API keys, and integrations were visible to the Flowise account.
Safe fix path
- Upgrade Flowise. Move to 3.1.2 or newer and restart the service.
- Put a real access layer in front. Use VPN, Cloudflare Access, or a reverse proxy with rate limiting.
- Rotate Flowise credentials. Use a new password that is not shared with other admin panels.
- Rotate exposed secrets. If login attempts may have succeeded, rotate API keys stored in Flowise credentials.
- Review flows and integrations. Look for changed flows, unknown tools, unexpected webhooks, or new outbound destinations.
Reverse proxy rate-limit example
A reverse proxy control is not a replacement for upgrading, but it helps stop brute force traffic while you patch.
# NGINX example: define limit_req_zone in http context, then apply to Flowise
limit_req_zone $binary_remote_addr zone=flowise_login:10m rate=5r/m; Ping7 repair path
Ping7 can review exposed Flowise instances, patch status, reverse proxy controls, and credential rotation. Start from CVE Repair and include the Flowise version, hosting type, and whether the admin UI was public.