CVE-2026-30824 PUBLISHED

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.

• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454
• https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13

• CWE-306: Missing Authentication for Critical Function CWE