From 9c6a5f2c8a572b9c3f8629acc0d38166f9afcb14 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:07:41 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2024-8181 rule --- .../crowdsecurity/vpatch-CVE-2024-8181.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml new file mode 100644 index 00000000000..0387f47a7ca --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml @@ -0,0 +1,25 @@ +## autogenerated on 2026-06-12 11:07:38 +name: crowdsecurity/vpatch-CVE-2024-8181 +description: 'Detects authentication bypass in Flowise <= 1.8.2 by matching crafted API endpoint access patterns.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/api/v1/apikey?/api/v1/ping' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Flowise - Authentication Bypass' + classification: + - cve.CVE-2024-8181 + - attack.T1190 + - cwe.CWE-287 From d0e3ceea1574f4be763fe151dfa30fa5dcb81a39 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:07:43 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2024-8181 test config --- .appsec-tests/vpatch-CVE-2024-8181/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-8181/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-8181/config.yaml b/.appsec-tests/vpatch-CVE-2024-8181/config.yaml new file mode 100644 index 00000000000..01da009fb12 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-8181/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-06-12 11:07:38 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml +nuclei_template: CVE-2024-8181.yaml From a1baef79d6201369fd71d393fb40faaa03da8f7d Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:07:46 +0200 Subject: [PATCH 3/4] Add CVE-2024-8181.yaml test --- .../vpatch-CVE-2024-8181/CVE-2024-8181.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml b/.appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml new file mode 100644 index 00000000000..28bf702f314 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml @@ -0,0 +1,20 @@ +## autogenerated on 2026-06-12 11:07:38 +id: CVE-2024-8181 +info: + name: CVE-2024-8181 + author: crowdsec + severity: info + description: CVE-2024-8181 testing + tags: appsec-testing +http: + - raw: + - | + GET /api/v1/apikey?/api/v1/ping HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Referer: {{RootURL}}/document-stores + cookie-reuse: true + matchers: + - type: status + status: + - 403 From ebc371c3fb7333475548e7404e264d7172733791 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:07:48 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2024-8181 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 9d5aabe34fc..43333e34f36 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -86,6 +86,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-9474 - crowdsecurity/vpatch-CVE-2024-7593 - crowdsecurity/vpatch-CVE-2024-52301 +- crowdsecurity/vpatch-CVE-2024-8181 - crowdsecurity/vpatch-CVE-2025-34291 - crowdsecurity/vpatch-CVE-2024-8963 - crowdsecurity/vpatch-CVE-2024-38816