CVE-2026-42862 — HIGH | AI Threat Alert

Q: Is CVE-2026-42862 actively exploited?

No confirmed active exploitation of CVE-2026-42862 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42862?

1. Patch: Upgrade flowise to version 3.1.2 immediately — this is the vendor-confirmed fix. 2. Workaround (if patching is blocked): Deploy a WAF or reverse proxy rule that strips workspaceId, createdDate, and updatedDate from the body of any PUT /api/v1/tools/* request before it reaches the application. 3. Detection: Query your Flowise database for tools whose workspaceId does not match their creation context, or for tools with createdDate/updatedDate values in the distant past (pre-2020) that were not present before a specific date. Enable API request logging if not already active and alert on PUT /api/v1/tools/* requests containing the workspaceId field. 4. Access control: Until patched, restrict the tool update endpoint to admin-role users only via network policy or API gateway. 5. Audit: In any multi-workspace environment, enumerate all tool records and validate workspaceId integrity against expected ownership.

Q: What systems are affected by CVE-2026-42862?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-tenant AI platforms, Enterprise AI workflow automation.

Q: What is the CVSS score for CVE-2026-42862?

No CVSS score has been assigned yet.

CISO Take

FlowiseAI versions up to 3.1.1 contain a mass assignment vulnerability in the tool update API (PUT /api/v1/tools/{toolId}) that lets any authenticated user inject server-controlled fields — including workspaceId — directly into database entities, effectively crossing workspace boundaries without authorization. For organizations running Flowise as a shared AI agent platform across teams or clients, this breaks the tenant isolation model entirely: a user in workspace A can silently reassign tools to workspace B, and can also falsify audit timestamps (createdDate, updatedDate) to cover the activity. There is no public exploit and no CISA KEV entry, but exploitation is trivially easy for any authenticated user — a single modified HTTP request is sufficient — and this package carries 69 known CVEs, signaling a pattern of insufficient input validation across its codebase. Upgrade to flowise 3.1.2 immediately; if patching is blocked, use a WAF rule to strip workspaceId, createdDate, and updatedDate from PUT /api/v1/tools/* request bodies and audit your database for tools with unexpected workspaceId values.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Moderate-High for multi-tenant or shared deployments; Low for single-tenant self-hosted instances where all users are equally trusted. Exploitation requires valid credentials but zero AI/ML expertise — it is a basic HTTP parameter injection. The blast radius in a multi-workspace environment is significant: any authenticated user in any workspace can move tools across tenants without triggering standard access control alerts. The 69 prior CVEs in the flowise package indicate systemic input validation gaps, increasing the probability that adjacent bypass vectors exist. No EPSS data is available, and the vulnerability is not actively exploited in the wild as of publication date.

Attack Kill Chain

Initial Access

Attacker authenticates to the Flowise instance using valid credentials for any workspace, obtained through credential theft, phishing, or legitimate account creation on a shared instance.

AML.T0012

API Exploitation

Attacker crafts a PUT /api/v1/tools/{toolId} request injecting workspaceId of a target tenant into the JSON body; the server accepts and persists all attacker-controlled fields without validation.

AML.T0049

Evidence Tampering

Attacker sets createdDate and updatedDate to historical values in the same request to erase forensic evidence of the reassignment from audit logs.

AML.T0081

Tenant Isolation Breach

Reassigned tools — potentially containing embedded API keys, privileged system access, or sensitive schemas — are now accessible to all users in the target workspace, fully breaking multi-tenant boundaries.

AML.T0053

Initial Access

Attacker authenticates to the Flowise instance using valid credentials for any workspace, obtained through credential theft, phishing, or legitimate account creation on a shared instance.

AML.T0012

API Exploitation

Attacker crafts a PUT /api/v1/tools/{toolId} request injecting workspaceId of a target tenant into the JSON body; the server accepts and persists all attacker-controlled fields without validation.

AML.T0049

Evidence Tampering

Attacker sets createdDate and updatedDate to historical values in the same request to erase forensic evidence of the reassignment from audit logs.

AML.T0081

Tenant Isolation Breach

Reassigned tools — potentially containing embedded API keys, privileged system access, or sensitive schemas — are now accessible to all users in the target workspace, fully breaking multi-tenant boundaries.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.1.1	`3.1.2`

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch: Upgrade flowise to version 3.1.2 immediately — this is the vendor-confirmed fix.
Workaround (if patching is blocked): Deploy a WAF or reverse proxy rule that strips workspaceId, createdDate, and updatedDate from the body of any PUT /api/v1/tools/* request before it reaches the application.
Detection: Query your Flowise database for tools whose workspaceId does not match their creation context, or for tools with createdDate/updatedDate values in the distant past (pre-2020) that were not present before a specific date. Enable API request logging if not already active and alert on PUT /api/v1/tools/* requests containing the workspaceId field.
Access control: Until patched, restrict the tool update endpoint to admin-role users only via network policy or API gateway.
Audit: In any multi-workspace environment, enumerate all tool records and validate workspaceId integrity against expected ownership.

Classification

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI roles and responsibilities — access authorization A.9.7 - AI system operation — access control to AI artifacts

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42862?

FlowiseAI versions up to 3.1.1 contain a mass assignment vulnerability in the tool update API (PUT /api/v1/tools/{toolId}) that lets any authenticated user inject server-controlled fields — including workspaceId — directly into database entities, effectively crossing workspace boundaries without authorization. For organizations running Flowise as a shared AI agent platform across teams or clients, this breaks the tenant isolation model entirely: a user in workspace A can silently reassign tools to workspace B, and can also falsify audit timestamps (createdDate, updatedDate) to cover the activity. There is no public exploit and no CISA KEV entry, but exploitation is trivially easy for any authenticated user — a single modified HTTP request is sufficient — and this package carries 69 known CVEs, signaling a pattern of insufficient input validation across its codebase. Upgrade to flowise 3.1.2 immediately; if patching is blocked, use a WAF rule to strip workspaceId, createdDate, and updatedDate from PUT /api/v1/tools/* request bodies and audit your database for tools with unexpected workspaceId values.

Is CVE-2026-42862 actively exploited?

No confirmed active exploitation of CVE-2026-42862 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42862?

1. Patch: Upgrade flowise to version 3.1.2 immediately — this is the vendor-confirmed fix. 2. Workaround (if patching is blocked): Deploy a WAF or reverse proxy rule that strips workspaceId, createdDate, and updatedDate from the body of any PUT /api/v1/tools/* request before it reaches the application. 3. Detection: Query your Flowise database for tools whose workspaceId does not match their creation context, or for tools with createdDate/updatedDate values in the distant past (pre-2020) that were not present before a specific date. Enable API request logging if not already active and alert on PUT /api/v1/tools/* requests containing the workspaceId field. 4. Access control: Until patched, restrict the tool update endpoint to admin-role users only via network policy or API gateway. 5. Audit: In any multi-workspace environment, enumerate all tool records and validate workspaceId integrity against expected ownership.

What systems are affected by CVE-2026-42862?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-tenant AI platforms, Enterprise AI workflow automation.

What is the CVSS score for CVE-2026-42862?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. ### Details The endpoint responsible for updating tools: **PUT /api/v1/tools/{toolId}** accepts a JSON request body containing tool metadata. However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend. Server-controlled fields that can be manipulated include: 1. workspaceId 2. createdDate 3. updatedDate The request body is directly merged into the underlying database entity without proper DTO validation or authorization checks. ### PoC Authenticate to the Flowise interface. Capture the request used to update a tool: ```http PUT /api/v1/tools/<TOOL_ID> Content-Type: application/json Modify the request body by injecting additional fields: { "name": "aaa", "description": "bbb", "color": "linear-gradient(rgb(109,215,45), rgb(136,170,134))", "schema": "[]", "func": "", "iconSrc": "test", "workspaceId": "11111111-2222-3333-4444-555555555555", "createdDate": "1995-03-06T14:17:50.000Z", "updatedDate": "1995-03-06T14:17:50.000Z" } ``` Send the request. Observe that the response includes the manipulated fields: ```json { "workspaceId": "11111111-2222-3333-4444-555555555555", "createdDate": "1995-03-06T14:17:50.000Z" } ``` This confirms that client-controlled values are accepted and persisted by the server. ### Impact This vulnerability allows authenticated users to manipulate internal attributes of tool resources. Confirmed impacts include: - Cross-workspace reassignment of tools (workspaceId) - Unauthorized modification of metadata (createdDate, updatedDate) In multi-tenant deployments, this may allow an attacker to move tools between workspaces without authorization, breaking tenant isolation boundaries.

Exploitation Scenario

An attacker obtains valid credentials to a low-privilege workspace in a shared Flowise deployment — through credential theft, account takeover, or legitimate signup on a multi-tenant instance. Using the standard Flowise UI, they capture a tool update request via browser developer tools or a proxy. They modify the JSON body to inject a target workspaceId (obtained through enumeration, leaked configuration, or insider knowledge) and send the manipulated PUT request. The server accepts and persists the attacker-controlled workspaceId without validation, moving the tool into the target workspace. The attacker also sets createdDate and updatedDate to historical values to obscure the modification in audit logs. If the reassigned tool contained embedded API keys or privileged system access in its schema/func fields, those credentials are now accessible to anyone in the target workspace. The attacker repeats across multiple tools and workspaces, systematically dismantling tenant isolation while appearing as a normal authenticated user in access logs.