From d6eb941eaa727007b2f76a88c3f0d570c8428de3 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:15:06 +0200 Subject: [PATCH 1/6] Add vpatch-CVE-2024-8181 rule --- .../crowdsecurity/vpatch-CVE-2024-8181.yaml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml new file mode 100644 index 00000000000..05f522237f3 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml @@ -0,0 +1,33 @@ +## autogenerated on 2026-06-12 09:15:02 +name: crowdsecurity/vpatch-CVE-2024-8181 +description: 'Detects authentication bypass in Flowise <= 1.8.2 by matching unauthorized access to sensitive API endpoints.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/api/v1/apikey' + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/api/v1/ping' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Flowise - Authentication Bypass' + classification: + - cve.CVE-2024-8181 + - attack.T1190 + - cwe.CWE-287 From 8b9476766d4d6d1e7631c1d4e86b8ede4e6dc280 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:15:08 +0200 Subject: [PATCH 2/6] Add vpatch-CVE-2024-8181 test config --- .appsec-tests/vpatch-CVE-2024-8181/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-8181/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-8181/config.yaml b/.appsec-tests/vpatch-CVE-2024-8181/config.yaml new file mode 100644 index 00000000000..1dc79aafad8 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-8181/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-06-12 09:15:02 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml +nuclei_template: CVE-2024-8181.yaml From 79533bb6f6209eb9cd58fc8c4298a2c139b64e0e Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:15:09 +0200 Subject: [PATCH 3/6] Add CVE-2024-8181.yaml test --- .../vpatch-CVE-2024-8181/CVE-2024-8181.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml b/.appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml new file mode 100644 index 00000000000..ba92c3eddbc --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml @@ -0,0 +1,20 @@ +## autogenerated on 2026-06-12 09:15:02 +id: CVE-2024-8181 +info: + name: CVE-2024-8181 + author: crowdsec + severity: info + description: CVE-2024-8181 testing + tags: appsec-testing +http: + - raw: + - | + GET /api/v1/apikey?/api/v1/ping HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Referer: {{RootURL}}/document-stores + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 8cc6c6c38c77f06098db96d1c778b112c40c925c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:15:11 +0200 Subject: [PATCH 4/6] Add vpatch-CVE-2024-8181 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 9d5aabe34fc..c4f95a425d8 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -123,6 +123,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2019-5418 - crowdsecurity/vpatch-CVE-2025-52488 - crowdsecurity/vpatch-CVE-2025-49132 +- crowdsecurity/vpatch-CVE-2024-8181 - crowdsecurity/vpatch-CVE-2026-21643 - crowdsecurity/vpatch-CVE-2025-47812 - crowdsecurity/vpatch-CVE-2024-51977 From 5664fb518b196b1004a38f8eff907d90bd447fdb Mon Sep 17 00:00:00 2001 From: he2ss Date: Fri, 12 Jun 2026 16:11:12 +0200 Subject: [PATCH 5/6] Modify match condition in vpatch-CVE-2024-8181.yaml Updated match value to include both '/api/v1/apikey' and '/api/v1/ping'. --- appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml index 05f522237f3..c046228f227 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml @@ -10,15 +10,7 @@ rules: - urldecode match: type: contains - value: '/api/v1/apikey' - - zones: - - URI - transform: - - lowercase - - urldecode - match: - type: contains - value: '/api/v1/ping' + value: '/api/v1/apikey?/api/v1/ping' labels: type: exploit From ee964c1ee7427e2d23570a591c9655f4d34026f6 Mon Sep 17 00:00:00 2001 From: he2ss Date: Fri, 12 Jun 2026 16:49:24 +0200 Subject: [PATCH 6/6] Update vpatch-CVE-2024-8181.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml index c046228f227..6818a77b285 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml @@ -4,7 +4,7 @@ description: 'Detects authentication bypass in Flowise <= 1.8.2 by matching unau rules: - and: - zones: - - URI + - URI_FULL transform: - lowercase - urldecode