Description
A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.
Published: 2026-05-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in FlowiseAI Flowise up to version 3.0.12 allows an attacker to manipulate request arguments such as userId, organizationId, workspaceId, or email within the User Controller component. This manipulation bypasses intended authorization controls, potentially enabling unauthorized access to sensitive data or elevated privileges. The flaw reflects classic access control weaknesses covered by CWE-285 and CWE-639.

Affected Systems

The vulnerability affects FlowiseAI’s Flowise server software, specifically all releases up to and including 3.0.12. Users operating any of these versions are susceptible to the authorization bypass described.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, and the EPSS score is not available, so the availability of ready‑to‑use exploits is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported. The attack vector appears to be remote, inferred from the phrase “The attack may be initiated remotely,” meaning the attacker can trigger the flaw over the network by sending crafted requests, although explicit prerequisites are not detailed.

Generated by OpenCVE AI on May 6, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to a version newer than 3.0.12 to eliminate the bypass flaw
  • If an upgrade cannot be performed immediately, limit access to the Flowise API by applying firewall rules or IP whitelisting to ensure only trusted hosts can reach the controller endpoints
  • Enable logging and monitoring of requests containing manipulated userId, organizationId, workspaceId, or email parameters to detect potential exploitation attempts

Generated by OpenCVE AI on May 6, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.
Title FlowiseAI Flowise User Controller authorization
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-06T15:26:30.808Z

Reserved: 2026-05-06T07:40:34.416Z

Link: CVE-2026-8027

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T15:16:13.050

Modified: 2026-05-06T18:52:17.480

Link: CVE-2026-8027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:30:12Z

Weaknesses