CVE-2026-42861: Flowise: mass assignment breaks multi-tenant isolation
GHSA-6fw7-3q8r-m5vj HIGH CISA: TRACK*FlowiseAI versions ≤3.1.1 contain a mass assignment vulnerability in the PUT /api/v1/variables endpoint that allows any authenticated user to overwrite server-controlled fields — including workspaceId — reassigning agent variables to arbitrary workspaces and bypassing tenant isolation. In shared or multi-tenant Flowise deployments, a low-privilege account is sufficient to move variables containing API keys, system prompts, or model credentials across workspace boundaries without authorization. The package carries 69 prior CVEs, signaling sustained attacker interest in this codebase, and exploitation is trivial — no tooling required beyond a standard HTTP client. Upgrade to flowise 3.1.2 immediately; in the interim, block PUT /api/v1/variables requests at the WAF level if they include workspaceId, createdDate, or updatedDate in the body, and audit variable records for unexpected cross-workspace reassignments.
What is the risk?
Medium-high. Exploitation requires a valid account but is otherwise trivial — the attacker includes extra fields in a standard API request with no specialized tooling. The blast radius is concentrated in multi-tenant Flowise deployments where workspace boundaries are a security control; a single compromised or malicious account can breach that boundary entirely. Single-tenant deployments face reduced risk but remain exposed to metadata tampering (forged createdDate/updatedDate) that corrupts audit trails and compliance evidence chains, which is particularly damaging for organizations relying on Flowise workflow logs as ISO 42001 or EU AI Act compliance artifacts.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | <= 3.1.1 | 3.1.2 |
Do you use Flowise? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: Upgrade flowise to ≥3.1.2 immediately — the fix is available and referenced in GHSA-6fw7-3q8r-m5vj.
-
Workaround (if patching is delayed): deploy a WAF rule to reject PUT /api/v1/variables requests whose JSON body contains workspaceId, createdDate, or updatedDate keys.
-
Detection: Query the Flowise database for variables where workspaceId does not match the workspace of the account that last modified them — any discrepancy is a signal of exploitation.
-
Audit: Review API access logs for PUT /api/v1/variables calls with oversized or anomalous JSON bodies.
-
Rotate any API keys or sensitive credentials stored as Flowise variables in all workspaces as a precautionary measure following an audit.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-42861?
FlowiseAI versions ≤3.1.1 contain a mass assignment vulnerability in the PUT /api/v1/variables endpoint that allows any authenticated user to overwrite server-controlled fields — including workspaceId — reassigning agent variables to arbitrary workspaces and bypassing tenant isolation. In shared or multi-tenant Flowise deployments, a low-privilege account is sufficient to move variables containing API keys, system prompts, or model credentials across workspace boundaries without authorization. The package carries 69 prior CVEs, signaling sustained attacker interest in this codebase, and exploitation is trivial — no tooling required beyond a standard HTTP client. Upgrade to flowise 3.1.2 immediately; in the interim, block PUT /api/v1/variables requests at the WAF level if they include workspaceId, createdDate, or updatedDate in the body, and audit variable records for unexpected cross-workspace reassignments.
Is CVE-2026-42861 actively exploited?
No confirmed active exploitation of CVE-2026-42861 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-42861?
1. Patch: Upgrade flowise to ≥3.1.2 immediately — the fix is available and referenced in GHSA-6fw7-3q8r-m5vj. 2. Workaround (if patching is delayed): deploy a WAF rule to reject PUT /api/v1/variables requests whose JSON body contains workspaceId, createdDate, or updatedDate keys. 3. Detection: Query the Flowise database for variables where workspaceId does not match the workspace of the account that last modified them — any discrepancy is a signal of exploitation. 4. Audit: Review API access logs for PUT /api/v1/variables calls with oversized or anomalous JSON bodies. 5. Rotate any API keys or sensitive credentials stored as Flowise variables in all workspaces as a precautionary measure following an audit.
What systems are affected by CVE-2026-42861?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI deployments, LLM workflow platforms, AI pipeline orchestration.
What is the CVSS score for CVE-2026-42861?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0081 Modify AI Agent Configuration AML.T0085 Data from AI Services Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces. This behavior may break tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.
Exploitation Scenario
A legitimate but malicious user in a shared Flowise deployment authenticates with their own workspace credentials. They identify target workspace UUIDs through error messages, enumeration, or brute-force of the UUID space. The attacker selects a variable they own and sends a PUT /api/v1/variables/{id} request with the victim's workspaceId injected into the JSON body alongside normal fields. The backend persists the record with the attacker-controlled workspaceId without validation. Depending on application logic governing workspace-level reads, the attacker can now access or contaminate variables in the victim workspace — harvesting LLM API keys, injecting malicious system prompt values, or altering model endpoint configurations to redirect AI agent traffic. Forged createdDate and updatedDate fields are used to disguise the tampering in audit logs.
Weaknesses (CWE)
CWE-284 Improper Access Control
Primary
CWE-284 Improper Access Control
Primary
CWE-639 Authorization Bypass Through User-Controlled Key
Primary
CWE-639 Authorization Bypass Through User-Controlled Key
Primary
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Primary
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Primary
CWE-284 Improper Access Control CWE-639 Authorization Bypass Through User-Controlled Key CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2025-71338 10.0 Flowise: unauthenticated file write enables RCE
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise