Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.
Published: 2026-06-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The assistant update endpoint in Flowise allows authenticated users to set properties that should be controlled by the server, such as workspaceId, createdDate, and updatedDate. Because these fields are not validated or authorized on the backend, an attacker can change the workspaceId value when updating an assistant. This enables the attacker to move an assistant into an arbitrary workspace, breaking tenant isolation in a multi‑workspace deployment. The flaw corresponds to improper authorization (CWE‑284), missing pre‑condition checks (CWE‑639), and improper handling of mutable objects (CWE‑915).

Affected Systems

The flaw affects FlowiseAI's Flowise product. All versions released before 3.1.2—specifically Flowise 3.0.x and 3.1.0/3.1.1—are vulnerable. The update endpoint can be accessed by any authenticated user who has permission to modify assistants.

Risk and Exploitability

With a CVSS score of 7.6, the vulnerability presents a high risk to confidentiality and integrity in multi‑tenant deployments. The EPSS score is not available, but the lack of server‑side validation means an attacker who authenticates to the system can change the workspaceId field in an assistant update request. Because the endpoint accepts arbitrary values, an attacker can reassign an assistant to any workspace for which the user does not normally have access, effectively breaching tenant isolation. The vulnerability is not listed in CISA KEV, and there are no known public exploits, so the exploitation likelihood depends largely on an attacker’s ability to log in to the target instance.

Generated by OpenCVE AI on June 8, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or newer to receive the official fix
  • If an upgrade is not immediately possible, restrict the permissions of users who can call the assistant update endpoint to administrative accounts only
  • Implement additional server‑side validation to reject changes to workspaceId and other server‑controlled fields unless the requester has explicit authority
  • Periodically audit assistant assignments and workspace boundaries to detect any unauthorized reassignment

Generated by OpenCVE AI on June 8, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hp26-q66v-q2w7 FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
History

Thu, 11 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.
Title Flowise: Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment
Weaknesses CWE-284
CWE-639
CWE-915
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T16:28:12.422Z

Reserved: 2026-05-13T22:18:22.831Z

Link: CVE-2026-46441

cve-icon Vulnrichment

Updated: 2026-06-08T16:28:08.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:41.190

Modified: 2026-06-11T04:06:52.607

Link: CVE-2026-46441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:00:16Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes