drupal/flowdrop is vulnerable to Access Bypass
48
Medium Risk
drupal/flowdrop runs AI-driven workflows interactively through a chat interface. The module does not sufficiently enforce permissions on certain endpoints, allowing attackers to trigger workflow execution (incurring LLM spend and tool side effects) or send messages into other users' sessions. Exploitation requires the "View any session" permission, which is not granted to anonymous or authenticated users by default.
You are affected if you are using a version that falls within the vulnerable range.
drupal/flowdrop is vulnerable to Access Bypass in versions 1.0.0 - 1.5.0.
Upgrade the drupal/flowdrop library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant