CVE-2026-56276
MediumCVSS 6.0Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
Risk Assessment
Organizations may be exposed to unauthorized access to user accounts, leading to potential data loss and security breaches. Allowing attackers persistent access to accounts poses a serious threat to system integrity.
Recommendation
It is recommended to update Flowise to version 3.1.2 or later to eliminate this vulnerability. Additionally, implementing extra verification mechanisms during password changes and monitoring user activity logs is advisable.
Original NVD description (English source)
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.

