CVE-2026-41267 - Vulnerability Details

- Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0.

Published: 2026-04-23

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper mass assignment vulnerability in the Flowise Cloud account registration endpoint lets unauthenticated attackers inject server‐managed fields and nested objects during account creation. By supplying crafted JSON, the attacker can manipulate ownership metadata, timestamps, organization association, and role mappings, thereby breaking trust boundaries in a multi‑tenant environment and enabling unauthorized access to other organizations' resources.

Affected Systems

All versions of Flowise prior to 3.1.0 released by FlowiseAI are affected. The flaw is present in the account registration feature used to create new user accounts for the Flowise Cloud service.

Risk and Exploitability

The CVSS score of 8.1 classifies this flaw as high severity, while the EPSS score of less than 1 % indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending a malicious payload to the registration endpoint without authentication, establishing an account that is improperly linked to an organization or granted elevated role mappings.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FlowiseAI

Flowise

affected

Version	Status	Constraints
`< 3.1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Flowiseai

Flowise

95%

Version	Status	Scheme	Platform
`[0,3.1.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Flowise to version 3.1.0 or newer to apply the vendor‑provided fix that protects against mass assignment in account registration.
If an upgrade cannot be performed immediately, enforce strict server‑side validation that rejects client‑supplied organization association fields, timestamps, and nested objects during account creation to eliminate the injection vector.
Continuously monitor account creation logs for abnormal organization association attempts and ensure automated alerts for suspicious patterns.

Generated by OpenCVE AI on April 28, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-48m6-ch88-55mj	Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00493.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj

History

Fri, 24 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Flowiseai Flowiseai flowise
CPEs		cpe:2.3:a:flowiseai:flowise::::::::
Vendors & Products		Flowiseai Flowiseai flowise

Thu, 23 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0.
Title		Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
Weaknesses		CWE-639 CWE-915
References		https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Flowiseai Flowise

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-23T19:12:26.765Z

Updated: 2026-04-23T19:44:53.201Z

Reserved: 2026-04-18T14:01:46.801Z

Link: CVE-2026-41267

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-23T20:16:15.160

Modified: 2026-04-24T15:14:48.233

Link: CVE-2026-41267

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object