CVE-2026-30820 - Flowise Authorization Bypass via Spoofed x-request-from Header

CVE ID :CVE-2026-30820 Published : 7 Mar 2026, 5:07 a.m. | 22 minutes ago Description :Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privilege. This issue has been patched in version 3.0.13. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...