CVE-2026-41277: Flowise mass assignment enables

CISO Take

Flowise prior to 3.1.0 contains a mass assignment flaw in the DocumentStore creation API that allows any authenticated user to supply an arbitrary primary key, causing an implicit UPSERT that silently overwrites existing DocumentStore objects — including those belonging to other workspaces in multi-tenant deployments. In enterprise Flowise environments orchestrating LLM agent pipelines, a low-privilege attacker can hijack any tenant's DocumentStore, poisoning the document collections that feed RAG-powered agents or destroying them entirely. A public proof-of-concept exists, CISA rates this ATTEND, and the CVSS 8.8 score with network-accessible, low-complexity, no-interaction exploitation means the barrier to abuse is minimal despite a modest EPSS of 0.13%. Upgrade to Flowise 3.1.0 immediately; until patched, restrict the DocumentStore API to trusted network segments and audit creation logs for POST requests where the submitted ID matches an existing object.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

HIGH for multi-tenant or multi-workspace Flowise deployments. Exploitation is trivial — any authenticated session is sufficient, and the technique requires only knowledge of a target DocumentStore ID, obtainable through enumeration or timing side-channels. Single-workspace deployments face reduced but nonzero risk from internal privilege escalation. The public PoC and CVSS 8.8 elevate urgency beyond what the low EPSS score (which reflects historical exploitation rates rather than forward-looking PoC exposure) suggests. The 58 prior CVEs in this package indicate a pattern of security debt.

How does the attack unfold?

Initial Access

Attacker obtains or already holds low-privilege authenticated credentials for the target multi-tenant Flowise instance.

AML.T0012

Exploitation

Attacker enumerates victim workspace DocumentStore IDs via their own API access or predictable UUID patterns, then sends a crafted POST to the DocumentStore creation endpoint with the victim's ID as the primary key.

AML.T0049

Cross-Workspace Object Takeover

Flowise's repository.save() treats the existing primary key as an update target, silently overwriting the victim workspace's DocumentStore with attacker-controlled content and breaking object-level authorization.

AML.T0081

RAG Poisoning / Data Destruction

Victim workspace LLM agents query the poisoned DocumentStore for retrieval context, producing attacker-influenced outputs or failing entirely, achieving integrity and availability impact on production AI workflows.

AML.T0070

Initial Access

Attacker obtains or already holds low-privilege authenticated credentials for the target multi-tenant Flowise instance.

AML.T0012

Exploitation

Attacker enumerates victim workspace DocumentStore IDs via their own API access or predictable UUID patterns, then sends a crafted POST to the DocumentStore creation endpoint with the victim's ID as the primary key.

AML.T0049

Cross-Workspace Object Takeover

Flowise's repository.save() treats the existing primary key as an update target, silently overwriting the victim workspace's DocumentStore with attacker-controlled content and breaking object-level authorization.

AML.T0081

RAG Poisoning / Data Destruction

Victim workspace LLM agents query the poisoned DocumentStore for retrieval context, producing attacker-influenced outputs or failing entirely, achieving integrity and availability impact on production AI workflows.

AML.T0070

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade Flowise to 3.1.0 immediately — the only complete fix.
NETWORK CONTROLS

If patching is delayed, restrict the Flowise API to authenticated-only trusted internal network segments; ensure no public internet exposure of the DocumentStore endpoint (/api/v1/document-store).
DETECTION

Audit API logs for POST requests to the DocumentStore creation endpoint where the submitted 'id' field matches an existing stored object ID — this is the definitive exploitation indicator.
TENANT AUDIT

Enumerate all DocumentStore objects and verify ownership alignment with their expected workspaces; any ownership anomaly should be treated as a potential compromise.
INCIDENT RESPONSE

If exploitation is confirmed or suspected, re-ingest all DocumentStore collections from trusted, known-good sources before restoring agent operation.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Model Poisoning Agent RAG Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0070 - RAG Poisoning AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value and manage risks of deployed AI systems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-41277?

Flowise prior to 3.1.0 contains a mass assignment flaw in the DocumentStore creation API that allows any authenticated user to supply an arbitrary primary key, causing an implicit UPSERT that silently overwrites existing DocumentStore objects — including those belonging to other workspaces in multi-tenant deployments. In enterprise Flowise environments orchestrating LLM agent pipelines, a low-privilege attacker can hijack any tenant's DocumentStore, poisoning the document collections that feed RAG-powered agents or destroying them entirely. A public proof-of-concept exists, CISA rates this ATTEND, and the CVSS 8.8 score with network-accessible, low-complexity, no-interaction exploitation means the barrier to abuse is minimal despite a modest EPSS of 0.13%. Upgrade to Flowise 3.1.0 immediately; until patched, restrict the DocumentStore API to trusted network segments and audit creation logs for POST requests where the submitted ID matches an existing object.

Is CVE-2026-41277 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41277, increasing the risk of exploitation.

How to fix CVE-2026-41277?

1. PATCH: Upgrade Flowise to 3.1.0 immediately — the only complete fix. 2. NETWORK CONTROLS: If patching is delayed, restrict the Flowise API to authenticated-only trusted internal network segments; ensure no public internet exposure of the DocumentStore endpoint (/api/v1/document-store). 3. DETECTION: Audit API logs for POST requests to the DocumentStore creation endpoint where the submitted 'id' field matches an existing stored object ID — this is the definitive exploitation indicator. 4. TENANT AUDIT: Enumerate all DocumentStore objects and verify ownership alignment with their expected workspaces; any ownership anomaly should be treated as a potential compromise. 5. INCIDENT RESPONSE: If exploitation is confirmed or suspected, re-ingest all DocumentStore collections from trusted, known-good sources before restoring agent operation.

What systems are affected by CVE-2026-41277?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, multi-tenant LLM platforms, document-grounded chatbots, LLM workflow orchestration.

What is the CVSS score for CVE-2026-41277?

CVE-2026-41277 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.33%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksmulti-tenant LLM platformsdocument-grounded chatbotsLLM workflow orchestration

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0070 RAG Poisoning

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker with a valid low-privilege Flowise account in a shared enterprise deployment authenticates normally and begins enumerating DocumentStore IDs through API responses visible in their own workspace or through predictable UUID patterns. Once a victim workspace's DocumentStore ID is identified, the attacker crafts a POST request to the DocumentStore creation endpoint including the victim's ID as the 'id' field in the request body. Flowise's repository.save() interprets the existing primary key as an update target, silently overwriting the victim workspace's DocumentStore with attacker-controlled document content. The victim workspace's LLM agents — querying this DocumentStore for RAG context — now operate on poisoned documents, generating responses shaped by the injected content. From an audit perspective, the attack appears as a routine DocumentStore creation event, providing effective cover.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Primary

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.