CVE-2026-42861
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
In Flowise, prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint. This allows authenticated users to modify server-controlled properties, potentially breaking tenant isolation in multi-workspace environments.
Risk Assessment
An attacker can manipulate the workspaceId field, allowing reassignment of variables to arbitrary workspaces, jeopardizing data security and user isolation.
Recommendation
It is recommended to upgrade to version 3.1.2 or later to mitigate this vulnerability and implement additional server-side validation and authorization checks.
Original NVD description (English source)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces. This behavior may break tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.

