AgentFlow (Flowring)
Product: AgentFlow
Vendor: Flowring
Affected Component: Authentication & Access Control Layer
Vulnerability Types: Missing Authentication & Authentication Bypass
Impact: Full database compromise, account takeover
Patch Status: Official patch available – Immediate update required
AgentFlow by Flowring contains two critical security vulnerabilities that allow attackers to bypass authentication controls. In the worst-case scenario, an unauthenticated attacker can directly access the backend database, read or delete data, or fully compromise user accounts.
These flaws do not require advanced exploitation techniques. If the affected system is internet-facing, exploitation can happen remotely with minimal effort.
CVE-2026-2096 – Missing Authentication
Basic Information
| Field | Details |
|---|---|
| CVE Name | AgentFlow Missing Authentication |
| CVE ID | CVE-2026-2096 |
| CVSS Score | 9.8 (Critical) |
| Severity | Critical |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Impact | Full database read/write/delete |
| Exploitability | High |
| Exploit Availability | No public PoC confirmed, but trivial to reproduce |
| Patch Status | Official patch released |
Technical Summary
CVE-2026-2096 is caused by missing authentication enforcement on sensitive API endpoints inside AgentFlow. Certain backend routes responsible for database operations do not validate user session tokens or API authentication headers.
In simple terms:
The system forgets to check who you are before giving access to critical functionality.
An attacker can directly call internal API endpoints without logging in and perform operations such as:
- Dump entire database contents
- Modify workflow configurations
- Delete records
- Create administrative users
- Execute privileged backend actions
How It Can Be Exploited
An attacker scans for exposed AgentFlow instances. Once identified, they:
- Enumerate API endpoints (e.g.,
/api/admin,/api/db/export,/api/workflow) - Send crafted HTTP requests without authentication headers
- Receive full database responses or execute modification commands
Exploit Request (Illustrative)
GET /api/v1/database/export HTTP/1.1
Host: target-instance
If vulnerable, the server responds with database contents without requiring login.
Potential Impact
- Complete data breach
- Destruction of business workflows
- Loss of audit integrity
- Full system compromise
- Regulatory and compliance violations
If database credentials are reused elsewhere, lateral movement becomes possible.
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1078 – Valid Accounts (if attacker creates admin user)
- T1530 – Data from Cloud Storage/Object
- T1485 – Data Destruction
Detection Guidance
Indicators of Compromise (IoCs)
- API access without authentication headers
- Unusual large database export responses
- Anonymous HTTP 200 responses on admin routes
- Sudden workflow deletions
Log Sources to Monitor
- Web server access logs (NGINX/Apache)
- Reverse proxy logs
- Application API logs
- Database audit logs
- WAF logs
Suspicious Log Pattern
"GET /api/v1/database/export HTTP/1.1" 200 -
Without:
Authorization: Bearer
Detection Rule (SIEM Logic)
Condition:
- HTTP request to
/api/* - AND missing Authorization header
- AND response status = 200
- AND request from external IP
Trigger High Severity Alert.
Official Patch
Upgrade AgentFlow to the latest patched version released by Flowring.
Apply vendor update immediately and restart services.
CVE-2026-2095 – Authentication Bypass
Basic Information
| Field | Details |
|---|---|
| CVE Name | AgentFlow Authentication Bypass |
| CVE ID | CVE-2026-2095 |
| CVSS Score | 9.1 (Critical) |
| Severity | Critical |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Impact | Account takeover |
| Exploitability | High |
| Exploit Availability | Exploitable with crafted token manipulation |
| Patch Status | Official patch released |
Technical Summary
CVE-2026-2095 allows attackers to bypass authentication mechanisms due to improper validation of session tokens.
The system fails to properly verify the integrity and signature of authentication tokens. In some cases:
- Expired tokens are accepted
- Tokens without proper signature validation are processed
- Role validation is skipped
This means attackers can forge or manipulate tokens to impersonate other users — including administrators.
How It Can Be Exploited
An attacker can:
- Capture a valid JWT token
- Modify the payload (e.g., change
"role":"user"to"role":"admin") - Resubmit the token
- Gain administrative access
In some configurations, the server does not verify the cryptographic signature.
Malicious JWT Payload
{
"user": "admin",
"role": "administrator",
"exp": 9999999999
}
If signature validation is missing or weak, access is granted.
Potential Impact
- Full account takeover
- Privilege escalation
- Unauthorized configuration changes
- Access to confidential workflow data
- Persistent access via backdoor accounts
MITRE ATT&CK Mapping
- T1556 – Modify Authentication Process
- T1078 – Valid Accounts
- T1098 – Account Manipulation
- T1110 – Credential Access (if chained)
Detection Guidance
Indicators of Compromise
- Tokens with abnormal expiration timestamps
- Role changes without corresponding audit logs
- Login events without password validation
- Admin activity from new IP addresses
Log Sources to Monitor
- Application authentication logs
- Identity provider logs
- API gateway logs
- JWT validation middleware logs
- Database user modification logs
Suspicious Log Entry
User: admin
Auth Method: JWT
Token Expiration: 2099-12-31
IP: External
Detection Rule
Condition:
- JWT token expiration > 24h default policy
- OR Role change event without password reset
- OR Admin access from new ASN
Trigger Critical Alert.
Proof of Concept (PoC)
There is no widely published PoC at the time of writing. However, exploitation is technically simple and reproducible in improperly configured environments.
Security teams should assume exploitation risk is high.
Remediation Steps
- Immediately upgrade AgentFlow to vendor patched version.
- Rotate all admin credentials.
- Invalidate all active tokens.
- Review database for unauthorized changes.
- Enable strict token signature verification.
- Implement WAF rules blocking unauthenticated admin endpoints.
- Restrict public exposure of AgentFlow servers.
Final Takeaway
Both CVE-2026-2096 and CVE-2026-2095 are critical authentication failures.
One allows complete unauthenticated database compromise.
The other allows full account takeover.
If exposed to the internet, compromise likelihood is extremely high.
Immediate patching and log review is strongly recommended.
