CVE Catalog

CVE-2026-46441

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.06%

20th percentile — higher than 20% of all known CVEs

Summary

In versions prior to 3.1.2, FlowiseAI has a mass assignment vulnerability in the assistant update endpoint. This allows authenticated users to modify server-controlled properties, potentially breaking tenant isolation in multi-workspace environments.

Risk Assessment

An attacker can manipulate the workspaceId field, allowing reassignment of assistants to arbitrary workspaces, jeopardizing data security and user isolation.

Recommendation

It is recommended to upgrade to version 3.1.2 or later to mitigate this vulnerability and implement additional server-side validation and authorization checks.

Original NVD description (English source)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS