Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.
Published: 2026-06-08
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise, a user‑friendly interface for building large language model pipelines, contains a mass‑assignment flaw in its CustomTemplate create and update functions. The bug allows a user to set fields that should be restricted, enabling them to modify or replace templates belonging to other workspaces.

Affected Systems

All installations of FlowiseAI:Flowise earlier than version 3.1.2 are affected. The issue was documented and corrected in the 3.1.2 release, and any variant that has not been upgraded remains vulnerable.

Risk and Exploitability

The CVSS score of 7.7 places the flaw in the high‑severity range. No EPSS value is available and the vulnerability is not listed in CISA’s KEV catalog. An attacker who has legitimate access to any workspace can exploit the flaw by sending a creation or update request that assigns fields belonging to a different workspace, thus taking over that workspace’s template.

Generated by OpenCVE AI on June 8, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or later; the update explicitly fixes the mass‑assignment issue.
  • Re‑configure the CustomTemplate API endpoints to enforce that create and update actions are allowed only on templates owned by the requesting user’s workspace, thereby restoring proper access control.
  • If an upgrade cannot be performed immediately, disable or block the external create/update endpoints for cross‑workspace users through your web server configuration or firewall rules to prevent the takeover until a patch is applied.

Generated by OpenCVE AI on June 8, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-728h-4mwj-f2p4 FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
History

Mon, 15 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.
Title Flowise: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T16:27:17.142Z

Reserved: 2026-05-14T18:06:06.810Z

Link: CVE-2026-46476

cve-icon Vulnrichment

Updated: 2026-06-08T16:27:13.636Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:41.950

Modified: 2026-06-15T14:04:20.547

Link: CVE-2026-46476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:15:28Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes