Flowise, a drag‑and‑drop interface for building large language model workflows, contains a flaw in its assistant create and update endpoints that fails to enforce workspace boundaries. Prior to version 3.1.2, these endpoints performed mass‑assignment, allowing an authenticated user to create or modify an assistant in one workspace and assign it to a different workspace, effectively capturing that assistant. This gives the attacker control over the assistant’s behavior, access to its data, and the power to inject malicious logic, compromising confidentiality, integrity and availability. The weakness is a CWE‑915 Security Check/Code Review Failure.

The vulnerability affects Flowise AI’s Flowise platform in all releases earlier than 3.1.2, including 3.0.x, 3.1.0 and 3.1.1. The attack surface lies in the assistant creation and update functions exposed through the web UI or API.

The CVSS score of 7.7 signals a high severity. Because EPSS is not available and the issue is not listed in CISA’s KEV catalog, the likelihood of exploitation is uncertain. The attack requires only access to the Flowise UI or API, with no need for elevated privileges beyond those necessary to operate in a workspace, meaning any user with such access can exploit the flaw. Due to the potential for multi‑tenant takeover, the impact is significant for shared deployments. Prompt remediation and tighter access controls are recommended.