{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-46440: Flowise: Basic Auth Credentials Exposed via API","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-46440","status":"final","version":"1","initial_release_date":"2026-06-08T15:29:40.724Z","current_release_date":"2026-06-08T19:18:43.370Z","revision_history":[{"date":"2026-06-08T15:29:40.724Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-46440 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-46440"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-46440"},{"category":"external","summary":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-php6-83fg-gw3g","url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-php6-83fg-gw3g"},{"category":"external","summary":"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2","url":"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2"}]},"product_tree":{"branches":[{"category":"vendor","name":"FlowiseAI","branches":[{"category":"product_name","name":"Flowise","branches":[{"category":"product_version","name":"< 3.1.2","product":{"name":"FlowiseAI Flowise < 3.1.2","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:flowiseai:flowise:\\<_3.1.2:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-46440","title":"Flowise: Basic Auth Credentials Exposed via API","notes":[{"category":"description","text":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}