![[flowise] Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration](/assets/images/github_com_1773014676761.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[flowise] Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
By GitHub2026๋
3์ 7์ผ
**[flowise] Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration**
Summary The Flowise platform has a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint. While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative rights over the target organizationId. This allows any low-privileged user (including "Free" plan users) to: Overwrite the SSO configuration of any other organization. Enable "Enterprise-only" features (SSO/SAML) without a license. Perform Account Takeover by redirecting the authentication flow...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary The Flowise platform has a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint. While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative rights over the target organizationId. This allows any low-privileged user (including "Free" plan users) to: Overwrite the SSO configuration of any other organization. Enable "Enterprise-only" features (SSO/SAML) without a license. Perform Account Takeover by redirecting the authentication flow...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.