Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials

Summary

The text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech.

Root Cause

// packages/server/src/controllers/text-to-speech/index.ts:58-64
} else {
    // Use TTS config from request body
    provider = bodyProvider
    credentialId = bodyCredentialId  // ← attacker-controlled credential ID
    voice = bodyVoice
    model = bodyModel
}

Docker Validation

POST /api/v1/text-to-speech/generate with arbitrary credentialId in body: endpoint processes request, sends SSE tts_start event, only fails when credential doesn't exist — proves code path runs without authentication.

Impact

• Use victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization
• Burn API credits on the victim's account
• Generate unlimited speech content at victim's expense
• Combined with credential ID leak from Finding 2, this is trivially exploitable

Suggested Fix

Remove the TTS endpoint from WHITELIST_URLS or validate that the credential belongs to the chatflow being used:

// Only allow credentialId when it matches the chatflow's TTS configuration
if (!chatflowId) {
    return res.status(401).json({ message: 'Authentication required' })
}

---

References

• packages/server/src/controllers/text-to-speech/index.ts lines 10-162
• packages/server/src/utils/constants.ts line 41 (whitelist entry)

Credits

• Shinobi Security - https://github.com/shinobisecurity