Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/FlowiseAI/Flowise) · only source for this CVE.
CVSS VectorVendor: https://github.com/FlowiseAI/Flowise
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
Summary
A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI.
The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource.
Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments.
Details
The endpoint responsible for updating tools:
PUT /api/v1/tools/{toolId}
accepts a JSON request body containing tool metadata.
However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.
Server-controlled fields that can be manipulated include:
- workspaceId
- createdDate
- updatedDate
The request body is directly merged into the underlying database entity without proper DTO validation or authorization checks.
PoC
Authenticate to the Flowise interface.
Capture the request used to update a tool:
PUT /api/v1/tools/<TOOL_ID>
Content-Type: application/json
Modify the request body by injecting additional fields:
{
"name": "aaa",
"description": "bbb",
"color": "linear-gradient(rgb(109,215,45), rgb(136,170,134))",
"schema": "[]",
"func": "",
"iconSrc": "test",
"workspaceId": "11111111-2222-3333-4444-555555555555",
"createdDate": "1995-03-06T14:17:50.000Z",
"updatedDate": "1995-03-06T14:17:50.000Z"
}
Send the request.
Observe that the response includes the manipulated fields:
{
"workspaceId": "11111111-2222-3333-4444-555555555555",
"createdDate": "1995-03-06T14:17:50.000Z"
}This confirms that client-controlled values are accepted and persisted by the server.
Impact
This vulnerability allows authenticated users to manipulate internal attributes of tool resources.
Confirmed impacts include:
- Cross-workspace reassignment of tools (workspaceId)
- Unauthorized modification of metadata (createdDate, updatedDate)
In multi-tenant deployments, this may allow an attacker to move tools between workspaces without authorization, breaking tenant isolation boundaries.
AnalysisAI
{toolId}) allows authenticated users to overwrite server-controlled fields including workspaceId, createdDate, and updatedDate, breaking tenant isolation in multi-workspace deployments. The flaw stems from the request body being merged directly into the database entity without DTO validation or authorization checks, and a working proof-of-concept is published in the GHSA-x5v6-pj28-cwwm advisory. No public exploit identified at time of analysis in CISA KEV; vendor-released patch is Flowise 3.1.2.
Technical ContextAI
Flowise is an npm-distributed (pkg:npm/flowise) low-code platform for building LLM workflows that supports multi-workspace tenancy where 'tools' are workflow building blocks scoped to a workspaceId. The vulnerability is a textbook CWE-284 (Improper Access Control) manifesting as mass assignment: the PUT /api/v1/tools/{toolId} handler deserializes the JSON body and merges it wholesale into the persisted entity rather than projecting it through a Data Transfer Object whitelist. As a result, fields that should be derived server-side from session context (workspaceId tied to the caller's tenant) or from system clocks (createdDate, updatedDate) accept attacker-supplied values, and no separate authorization layer verifies that the caller belongs to the workspaceId being written. This is the same anti-pattern behind classic Rails/Spring mass-assignment CVEs, applied here to a multi-tenant SaaS data model.
RemediationAI
Vendor-released patch: upgrade Flowise to 3.1.2 or later (https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2), as detailed in advisory GHSA-x5v6-pj28-cwwm. If immediate upgrade is not possible, place the Flowise API behind a reverse proxy or WAF rule that strips or rejects the workspaceId, createdDate, and updatedDate fields from PUT /api/v1/tools/* request bodies - note this only blocks the documented fields and not other unknown mass-assignable properties. As a stronger interim control, restrict the tool update endpoint to administrative users via network-layer ACLs until the upgrade is applied, accepting the trade-off that legitimate non-admin tenant users will lose the ability to edit their own tools. In multi-tenant deployments where credentials are widely distributed (for example a self-serve SaaS), assume current tool workspace assignments may already be tainted and audit the tools table for workspaceId values inconsistent with creator identity before and after patching.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35104
GHSA-x5v6-pj28-cwwm