Skip to main content

Flowise CVE-2026-46441

| EUVDEUVD-2026-35109 HIGH
Improper Access Control (CWE-284)
2026-06-08 GitHub_M GHSA-hp26-q66v-q2w7
7.6
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 08, 2026 - 18:16 vuln.today
Analysis Generated
Jun 08, 2026 - 18:16 vuln.today
Patch available
Jun 08, 2026 - 17:01 EUVD
CVSS changed
Jun 08, 2026 - 16:22 NVD
7.6 (HIGH)
CVE Published
Jun 08, 2026 - 15:30 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.

AnalysisAI

Cross-workspace tenant isolation bypass in FlowiseAI versions prior to 3.1.2 allows authenticated low-privileged users to reassign assistant resources to arbitrary workspaces by manipulating server-controlled fields in the assistant update endpoint. The flaw is a mass assignment issue (CWE-284) tracked as EUVD-2026-35109, with publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as widely deployed exploitation. SSVC indicates total technical impact but non-automatable exploitation.

Technical ContextAI

Flowise is an open-source drag-and-drop interface for building LLM application flows, distributed via npm as the 'flowise' package. The vulnerability resides in the PUT /api/v1/assistants/{assistantId} endpoint, which deserializes the JSON request body directly into the underlying database entity without DTO whitelisting, allowance lists, or authorization checks on protected fields. CWE-284 (Improper Access Control) manifests here as a classic mass assignment / over-posting flaw: server-controlled attributes such as workspaceId, createdDate, and updatedDate are exposed to client mutation. In multi-workspace deployments, workspaceId is the primary tenant boundary, so allowing client-supplied values for it collapses the multi-tenant security model. The affected CPE is cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:* covering all versions up to and including 3.1.1.

RemediationAI

Upgrade to vendor-released patch Flowise 3.1.2 or later, available at https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2, which adds server-side DTO whitelisting and authorization checks on the assistant update endpoint along with related mass-assignment fixes in tools, variables, and user endpoints. If immediate upgrade is not feasible, place a reverse proxy or API gateway in front of Flowise that strips workspaceId, createdDate, and updatedDate fields from PUT /api/v1/assistants/* request bodies - this preserves legitimate update functionality but blocks the specific abuse, at the cost of maintaining a custom filter that must be revisited when the schema changes. Additionally restrict who can authenticate to Flowise (network ACLs, SSO enforcement) and audit existing assistants for unexpected workspaceId values, since the SSVC Exploitation rating of 'poc' confirms working exploit details are public in the GHSA advisory.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2026-46441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy