Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.
Published: 2026-06-08
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A mass‑assignment flaw in the evaluator create and update endpoints allows an attacker to move an evaluator from one workspace to another, effectively hijacking control of that workspace and enabling the attacker to run arbitrary workflows or displace legitimate users.

Affected Systems

FlowiseAI’s Flowise platform is affected, specifically all deployments running any version older than 3.1.2.

Risk and Exploitability

The CVSS score of 7.7 indicates a moderate‑to‑high severity, while the EPSS score is not available and it is not listed in CISA KEV. The likely attack vector involves an authenticated user who can create or update evaluators; by exploiting the mass‑assignment issue, that user can transfer evaluators across workspaces and obtain elevated privileges.

Generated by OpenCVE AI on June 8, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or later to obtain the published fix
  • Ensure that only users with appropriate workspace ownership can create or update evaluators, implementing role‑based access controls around those endpoints
  • Audit existing evaluator configurations after the upgrade to confirm no cross‑workspace assignments remain

Generated by OpenCVE AI on June 8, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wxrr-jp8m-qq7f FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
History

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.
Title Flowise: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T16:17:04.899Z

Reserved: 2026-05-14T18:06:06.810Z

Link: CVE-2026-46480

cve-icon Vulnrichment

Updated: 2026-06-08T16:16:43.674Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:42.600

Modified: 2026-06-09T14:57:08.360

Link: CVE-2026-46480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:45:26Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes