FlowiseAI Vulnerable to Credential Data Leak

Severity: HIGH (CVSS ~7.5) Type: CWE-200 (Exposure of Sensitive Information) File: packages/server/src/services/credentials/index.ts:62-71

Description: When credentials are fetched with a credentialName filter parameter, the encryptedData field is NOT stripped from the response. The code properly omits encryptedData when NO filter is used (line 102) but fails to do so when a filter IS used (lines 62-63, 70-71). Credential Data Leak Evidence:

// Lines 62-63: WITH filter - encryptedData LEAKED
const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)
dbResponse.push(...credentials)  // encryptedData NOT removed!

// Lines 100-102: WITHOUT filter - encryptedData properly omitted
for (const credential of credentials) {
    dbResponse.push(omit(credential, ['encryptedData']))  // Correctly omitted
}

Impact: Authenticated users can extract encrypted credential data (API keys, passwords, tokens for services like OpenAI, AWS, etc.). Combined with access to the encryption key file (~/.flowise/encryption.key written with default permissions), this enables full credential theft.

Reproduction:

curl https://TARGET/api/v1/credentials?credentialName=openAIApi \
  -H "Authorization: Bearer API_KEY"
# Response includes encryptedData field with AES-encrypted credentials