AI Threat Alert

CVE-2026-41267: Flowise: mass assignment auth bypass in registration

CRITICAL PoC AVAILABLE
Published April 23, 2026
CISO Take

Flowise's account registration endpoint fails to strip server-managed fields from client-supplied JSON, allowing unauthenticated attackers to inject role assignments, organization associations, and ownership metadata during signup—effectively self-granting admin access to any tenant in a multi-tenant deployment. With a CVSS of 9.8, no authentication required, and public PoC code already in the wild, this is trivially exploitable by anyone who can reach the registration endpoint. Although EPSS is 0.3% today, the PoC's existence and Flowise's widespread use in AI agent pipelines make active exploitation a near-term certainty rather than a theoretical risk. Upgrade to Flowise 3.1.0 immediately; if patching must be delayed, restrict the registration endpoint to trusted IP ranges via WAF or reverse proxy and audit all user accounts created before the patch for anomalous role assignments and cross-tenant access.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

CRITICAL. The CVSS 9.8 score reflects worst-case exploitability: unauthenticated network access, zero complexity, and full confidentiality/integrity/availability impact. Public PoC eliminates any technical barrier—this is a script-kiddie-level exploit against a platform that manages LLM workflows, stores API keys for OpenAI/Anthropic/etc., and often connects to production databases and data pipelines. Multi-tenant Flowise Cloud deployments are especially exposed since a single registration request can cross tenant boundaries, compromising all organizations on the instance. The 59 prior CVEs in this package signal a pattern of insufficient input validation that warrants additional scrutiny of surrounding code even after patching.

How does the attack unfold?

Reconnaissance
Attacker identifies a target Flowise Cloud instance via Shodan, public documentation, or direct enumeration, and confirms the registration endpoint is publicly accessible without prior authentication.
AML.T0006
Initial Access
Attacker submits a crafted POST to the registration API with injected server-managed fields (role, organizationId, isAdmin) embedded in the JSON body alongside valid registration data.
AML.T0049
Privilege Escalation
Server processes all JSON fields without stripping server-managed properties, creating an account with admin role and association to the target organization; attacker authenticates with these elevated credentials.
AML.T0012
Impact
Attacker exfiltrates stored LLM API keys and database credentials from flow configurations, modifies AI agent workflows to inject malicious behavior, and accesses other tenants' proprietary prompts and RAG data.
AML.T0085

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 75% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade to Flowise 3.1.0 immediately—this is the only complete fix.

  2. AUDIT

    Review all accounts created before the patch date (2026-04-23) for unexpected role values, cross-tenant organization IDs, or anomalous creation timestamps.

  3. WORKAROUND (if patching is delayed): Block or rate-limit the registration endpoint at the WAF/reverse-proxy layer; consider switching to invitation-only registration.

  4. ROTATE CREDENTIALS

    Treat all API keys stored in Flowise flows as potentially compromised—rotate LLM provider keys, database credentials, and any secrets embedded in workflow configurations.

  5. DETECT

    Monitor registration endpoint logs for JSON bodies containing unexpected fields (role, organizationId, isAdmin, verified, or similar server-managed properties); alert on any newly created account that immediately accesses resources across multiple organizations.

  6. VERIFY ISOLATION

    Confirm tenant data isolation is intact by auditing cross-organization access logs post-incident.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Agent Framework AML.T0012 AML.T0021 AML.T0049 AML.T0053 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.6 - Access Control for AI Systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and identified
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-41267?

Flowise's account registration endpoint fails to strip server-managed fields from client-supplied JSON, allowing unauthenticated attackers to inject role assignments, organization associations, and ownership metadata during signup—effectively self-granting admin access to any tenant in a multi-tenant deployment. With a CVSS of 9.8, no authentication required, and public PoC code already in the wild, this is trivially exploitable by anyone who can reach the registration endpoint. Although EPSS is 0.3% today, the PoC's existence and Flowise's widespread use in AI agent pipelines make active exploitation a near-term certainty rather than a theoretical risk. Upgrade to Flowise 3.1.0 immediately; if patching must be delayed, restrict the registration endpoint to trusted IP ranges via WAF or reverse proxy and audit all user accounts created before the patch for anomalous role assignments and cross-tenant access.

Is CVE-2026-41267 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41267, increasing the risk of exploitation.

How to fix CVE-2026-41267?

1. PATCH: Upgrade to Flowise 3.1.0 immediately—this is the only complete fix. 2. AUDIT: Review all accounts created before the patch date (2026-04-23) for unexpected role values, cross-tenant organization IDs, or anomalous creation timestamps. 3. WORKAROUND (if patching is delayed): Block or rate-limit the registration endpoint at the WAF/reverse-proxy layer; consider switching to invitation-only registration. 4. ROTATE CREDENTIALS: Treat all API keys stored in Flowise flows as potentially compromised—rotate LLM provider keys, database credentials, and any secrets embedded in workflow configurations. 5. DETECT: Monitor registration endpoint logs for JSON bodies containing unexpected fields (role, organizationId, isAdmin, verified, or similar server-managed properties); alert on any newly created account that immediately accesses resources across multiple organizations. 6. VERIFY ISOLATION: Confirm tenant data isolation is intact by auditing cross-organization access logs post-incident.

What systems are affected by CVE-2026-41267?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, multi-tenant AI platforms, RAG pipelines.

What is the CVSS score for CVE-2026-41267?

CVE-2026-41267 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.83%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow orchestrationmulti-tenant AI platformsRAG pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0021 Establish Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An adversary targeting a financial services firm using Flowise to power their AI compliance assistant sends a single crafted POST to `/api/v1/user/register` with a payload like `{"email":"attacker@evil.com","password":"pw","role":"admin","organizationId":"<target-org-uuid>","isActive":true}`. The server accepts all fields without stripping server-managed properties, creating an account with admin privileges in the victim organization. The attacker logs in, navigates to the Flowise flow editor, and extracts the victim's OpenAI API key and internal database connection string stored in workflow credentials. They then modify a production RAG chatbot flow to forward all user queries to an attacker-controlled endpoint, silently exfiltrating sensitive employee or customer data submitted through the AI assistant—all while the legitimate organization sees no alerts and the tampered workflow continues serving responses normally.

Weaknesses (CWE)

CWE-639 Primary CWE-915 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 23, 2026
Last Modified
April 24, 2026
First Seen
April 23, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
Back to Threat Feed