Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.
Published: 2026-06-08
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Flowise’s handling of DatasetRow creation and updates, where mass‑assignment lacks proper workspace isolation. An authenticated user can manipulate request data to inject or modify DatasetRow objects belonging to another workspace, thereby gaining unauthorized access to, altering, or deleting that workspace’s data. This flaw directly jeopardizes the confidentiality, integrity, and availability of data managed by separate workspaces and is classified as CWE‑915.

Affected Systems

Any deployment of Flowise AI’s Flowise application running a version older than 3.1.2 is affected, including community and self‑hosted instances. Users of earlier releases should verify the version of Flowise installed and consider reducing the scope of API access where possible.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity level. While no EPSS score is currently available, the documented exploit path does not require special privileges beyond legitimate workspace membership, and the flaw can be exercised via standard API or UI interactions. The vulnerability is not listed in the CISA KEV catalog, but its impact on data isolation means it should be treated with urgency. Attackers could target any user with workspace access and leverage API endpoints that process DatasetRow data.

Generated by OpenCVE AI on June 8, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or later to eliminate the mass‑assignment flaw.
  • Restrict API access scopes for users who do not need full workspace modification privileges, reducing the attack surface.
  • Monitor application logs for unexpected DatasetRow creation or update events to detect potential cross‑workspace exploitation attempts.

Generated by OpenCVE AI on June 8, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7j65-65cr-6644 FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
History

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.
Title Flowise: DatasetRow create+update mass-assignment allows cross-workspace row takeover
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T15:33:21.250Z

Reserved: 2026-05-14T18:06:06.810Z

Link: CVE-2026-46478

cve-icon Vulnrichment

Updated: 2026-06-09T15:33:17.541Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:42.277

Modified: 2026-06-15T13:58:37.763

Link: CVE-2026-46478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:15:28Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes