Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.
Published: 2026-06-08
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise is a drag‑and‑drop interface for building large‑language‑model flows. A mass‑assignment vulnerability in the create and update procedures for evaluations allows an attacker who can perform these actions to set or modify attributes that belong to a different workspace, effectively permitting takeover of evaluations across workspaces. This flaw is a case of Improper Authorization (CWE‑915).

Affected Systems

Flowise, the FlowiseAI drag‑and‑drop interface for building LLM flows, is affected in all releases prior to 3.1.2. The vulnerability is fixed in version 3.1.2 and later.

Risk and Exploitability

The CVSS score of 7.7 points to a high severity. EPSS is not available, and the vulnerability is not in CISA’s KEV catalog. The flaw requires an attacker to have access to the Flowise web interface and the ability to create or update evaluations. An attacker with such access could use the flaw to transfer control of evaluations from one workspace to another. No exploitation details beyond those indicated are stated.

Generated by OpenCVE AI on June 8, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Flowise 3.1.2 or later
  • Restrict the creation and update of evaluations to workspace owners only
  • Enable audit logging to detect unauthorized evaluation changes

Generated by OpenCVE AI on June 8, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mq53-pc65-wjc4 FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
History

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 08 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.
Title Flowise: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T15:50:51.866Z

Reserved: 2026-05-14T18:06:06.810Z

Link: CVE-2026-46479

cve-icon Vulnrichment

Updated: 2026-06-08T15:50:42.472Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:42.443

Modified: 2026-06-15T13:56:30.973

Link: CVE-2026-46479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T18:15:30Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes