Skip to main content

FlowiseAI Flowise EUVDEUVD-2026-27830

| CVE-2026-8027 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-06 VulDB GHSA-3qmj-rc63-mhjw
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 06, 2026 - 15:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
May 06, 2026 - 15:00 vuln.today

DescriptionCVE.org

A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.

AnalysisAI

Authorization bypass in FlowiseAI Flowise up to version 3.0.12 allows authenticated users to manipulate userId, organizationId, workspaceId, and email parameters in the User Controller Handler, potentially gaining unauthorized access to other users' data or organizational resources. The vulnerability requires valid user authentication and remote network access, resulting in confidentiality impact with low attack complexity. No active exploitation in CISA KEV has been confirmed at time of analysis.

Technical ContextAI

The vulnerability resides in the User Controller Handler component of FlowiseAI Flowise, a node.js based AI workflow orchestration platform. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that the application fails to properly validate or sanitize user-supplied parameters that control authorization decisions. When processing requests to manage users, organizations, or workspaces, the application appears to trust client-supplied identifier parameters without adequate server-side authorization checks. An authenticated attacker can manipulate these parameters (userId, organizationId, workspaceId, email) to bypass access controls and read data belonging to other users or organizational units. The CPE cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:* indicates the vulnerability affects all versions of the Flowise product up to and including 3.0.12.

RemediationAI

Upgrade FlowiseAI Flowise to a version newer than 3.0.12; the exact patched version was not confirmed in available data, but vendors typically address authorization bypass issues in the next minor or patch release following public disclosure. Apply server-side authorization validation immediately: implement checks to ensure that authenticated users can only access, modify, or retrieve data for users, organizations, workspaces, and email addresses to which they have explicit permissions-never trust client-supplied identifiers without backend verification against the authenticated user's access control list. As a temporary compensating control, restrict Flowise to single-user deployments or implement network segmentation to limit which users can access the application. Monitor User Controller Handler logs for requests with mismatched user/organization/workspace identifiers as an early detection strategy while patches are being deployed.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

EUVD-2026-27830 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy