CVE-2026-46443

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is used but fails to do so when a filter is used. This issue has been patched in version 3.1.2.

References

• https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7g73-99r4-m4mj