CVE-2026-30822: Flowise: mass assignment allows unauthenticated DB injection

UNKNOWN PoC AVAILABLE

Published March 7, 2026

CISO Take

Flowise, a widely deployed drag-and-drop LLM agent builder, contains a mass assignment flaw (CWE-915) that allows any unauthenticated user to inject arbitrary values into internal database fields through the lead creation endpoint — no credentials required. A public proof-of-concept already exists, and this package carries a history of 16 prior CVEs, signaling a pattern of insufficient input validation in a platform that often holds API keys, agent configurations, and sensitive workflow data. Blast radius extends to any Flowise instance exposed to the internet: successful exploitation could enable record tampering, privilege escalation within the platform, or corruption of LLM agent flow configurations. Upgrade to Flowise 3.0.13 immediately; if patching is blocked, isolate the Flowise API behind a network perimeter and audit database records for unexpected or injected field values.

Sources: GitHub Advisory NVD ATLAS

Risk Assessment

HIGH. The vulnerability is unauthenticated (no prior access required), has a public PoC, and targets a platform that sits at the center of LLM agent orchestration — a high-value target for attackers seeking to manipulate AI pipelines. The lack of CVSS scoring does not reduce real-world risk; the unauthenticated attack vector and available exploit code make this trivially weaponizable. The package's 16 prior CVEs suggest structural security debt.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch
flowise	npm	—	No patch
flowise	npm	—	No patch

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

Patch immediately: upgrade all Flowise instances to version 3.0.13 or later.
If immediate patching is not possible: place Flowise behind a VPN or firewall to prevent unauthenticated internet access to the API.
Audit database records — particularly lead, user, and configuration tables — for unexpected field values or signs of injection attempts (fields containing unexpected JSON keys or privilege-related values).
Review application logs for anomalous POST requests to lead creation endpoints originating from unauthenticated sessions.
Rotate any API keys, credentials, or tokens stored within the Flowise platform as a precaution.
Subscribe to Flowise security advisories given the package's CVE history.

Classification

Auth Bypass Data Extraction Code Execution Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation

NIST AI RMF

GOVERN-1.7 - Processes and procedures are in place for ongoing identification of risks and risk-impacted components

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13.

Exploitation Scenario

An adversary identifies a publicly exposed Flowise instance — trivially discoverable via Shodan or similar tooling searching for Flowise-specific headers or paths. Without any credentials, they send a crafted POST request to the lead creation endpoint, embedding additional database fields beyond the intended payload (e.g., role escalation flags, admin boolean fields, or references to other users' configurations). The injected values persist to the database. The attacker may then use escalated permissions to access authenticated endpoints, extract stored API keys for downstream LLM providers (OpenAI, Anthropic), or modify LLM flow configurations to redirect agent tool calls to attacker-controlled infrastructure — turning the compromised Flowise instance into a pivot point for prompt injection or data exfiltration from connected AI services.