Description
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
Published: 2026-06-20
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise prior to 3.1.2 contains a mass assignment flaw in the PUT /api/v1/user API that lets an authenticated user set the credential field without validation. By supplying a crafted password hash, an attacker can bypass password change checks and session invalidation, essentially creating or replacing an account password. This allows the attacker to retain persistent access after a temporary session compromise, leading to unauthorized control over a user account.

Affected Systems

Flowise versions earlier than 3.1.2 across all deployments of the Flowise:Flowise product are affected. Updated releases beginning with 3.1.2 contain the fix, and newer versions are expected to be safe.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity flaw. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the system and then issue a crafted PUT request to the /api/v1/user endpoint; the exploit requires no special privileges beyond normal user access. Given the ability to override credential hashes, the impact could facilitate long‑term account compromise if the vulnerability is not remediated.

Generated by OpenCVE AI on June 20, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or later to eliminate the mass assignment flaw.
  • Restrict the /api/v1/user endpoint so that only privileged administrators can modify credential data.
  • Implement server‑side validation to reject arbitrary credential values and enforce proper password change logic.

Generated by OpenCVE AI on June 20, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
Title Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-915
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:44.035Z

Reserved: 2026-06-20T01:47:54.001Z

Link: CVE-2026-56276

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes