AI Threat Alert

CVE-2026-42863: Flowise: Mass Assignment enables cross-workspace takeover

GHSA-5wxp-qjgq-fx6m HIGH
Published May 14, 2026
CISO Take

FlowiseAI's chatflow update endpoint (PUT /api/v1/chatflows/{id}) accepts arbitrary client-supplied fields without server-side validation, allowing any authenticated user to override workspace ownership, deployment state, and public visibility of AI agent workflows. In multi-tenant Flowise deployments — common in enterprise AI build environments — this directly breaks tenant isolation: an attacker can silently reassign another tenant's workflow to their own workspace, exposing embedded system prompts, API credentials, and connected data source configurations. The package carries a history of 69 CVEs, indicating a persistent pattern of security quality concerns rather than an isolated defect. Patch immediately to flowise 3.1.2 and audit your database for unexpected workspaceId changes since the last known-good state.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk in any multi-tenant or shared Flowise deployment. Exploitation requires only valid authentication — no elevated privileges — and the technique is trivial: inject server-controlled fields into a standard JSON API request body with no special tooling. The mass assignment pattern is broadly understood at script-kiddie level and requires zero AI/ML expertise. Impact is amplified because Flowise workflows routinely embed API keys, system prompts, data source bindings, and business logic that becomes fully accessible post-reassignment. Single-tenant self-hosted deployments face lower cross-tenant risk but remain exposed to unauthorized deployment state manipulation and visibility changes that can disrupt production AI pipelines.

Attack Kill Chain

Initial Access
Attacker authenticates to the Flowise platform using a valid but low-privilege account in a multi-tenant deployment — no special permissions required.
AML.T0012
API Exploitation
Attacker captures a standard chatflow update request and injects server-controlled fields (workspaceId, isPublic, deployed) into the PUT /api/v1/chatflows/{id} JSON body.
AML.T0049
Configuration Takeover
Server accepts and persists the attacker-supplied workspaceId without ownership validation, reassigning the victim's complete AI agent workflow to the attacker's workspace.
AML.T0081
Data Access and Impact
Attacker gains full access to the victim's chatflow including embedded system prompts, API credentials, and data source connections; optionally exposes workflows publicly or disrupts production AI pipelines by toggling deployment state.
AML.T0085

What systems are affected?

Package Ecosystem Vulnerable Range Patched
flowise npm <= 3.1.1 3.1.2

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps

  1. Patch: Update flowise to >= 3.1.2 immediately — this release introduces server-side DTO whitelisting on the chatflow update endpoint.

  2. Audit: Query for unexpected workspaceId changes — SELECT id, name, workspaceId, updatedDate FROM chat_flow ORDER BY updatedDate DESC — and cross-reference against known user activity.

  3. Visibility review: Audit all chatflows where isPublic=true and confirm each is intentionally public.

  4. Detection: In versions < 3.1.2, flag PUT /api/v1/chatflows/* requests whose JSON body contains workspaceId, deployed, isPublic, createdDate, or updatedDate fields at the WAF or API gateway layer.

  5. Workaround (if patching is delayed): Restrict API access to authenticated internal networks via reverse proxy and implement WAF rules rejecting unexpected fields in chatflow update payloads.

Classification

Auth Bypass Data Extraction Agent Framework AML.T0012 AML.T0049 AML.T0081 AML.T0085

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
Annex A, A.6.2 - AI system design and development — security controls
NIST AI RMF
GOVERN 1.2 - Policies and processes for AI risk management MANAGE 2.4 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42863?

FlowiseAI's chatflow update endpoint (PUT /api/v1/chatflows/{id}) accepts arbitrary client-supplied fields without server-side validation, allowing any authenticated user to override workspace ownership, deployment state, and public visibility of AI agent workflows. In multi-tenant Flowise deployments — common in enterprise AI build environments — this directly breaks tenant isolation: an attacker can silently reassign another tenant's workflow to their own workspace, exposing embedded system prompts, API credentials, and connected data source configurations. The package carries a history of 69 CVEs, indicating a persistent pattern of security quality concerns rather than an isolated defect. Patch immediately to flowise 3.1.2 and audit your database for unexpected workspaceId changes since the last known-good state.

Is CVE-2026-42863 actively exploited?

No confirmed active exploitation of CVE-2026-42863 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42863?

1. Patch: Update flowise to >= 3.1.2 immediately — this release introduces server-side DTO whitelisting on the chatflow update endpoint. 2. Audit: Query for unexpected workspaceId changes — SELECT id, name, workspaceId, updatedDate FROM chat_flow ORDER BY updatedDate DESC — and cross-reference against known user activity. 3. Visibility review: Audit all chatflows where isPublic=true and confirm each is intentionally public. 4. Detection: In versions < 3.1.2, flag PUT /api/v1/chatflows/* requests whose JSON body contains workspaceId, deployed, isPublic, createdDate, or updatedDate fields at the WAF or API gateway layer. 5. Workaround (if patching is delayed): Restrict API access to authenticated internal networks via reverse proxy and implement WAF rules rejecting unexpected fields in chatflow update payloads.

What systems are affected by CVE-2026-42863?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, multi-tenant AI platforms, no-code AI workflow builders.

What is the CVSS score for CVE-2026-42863?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings. ### Details The endpoint responsible for updating chatflows: **PUT /api/v1/chatflows/{chatflowId}** accepts a JSON request body containing the chatflow configuration (flowData) along with other metadata fields. However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend. Examples of server-controlled fields that can be manipulated include: 1. deployed 2. isPublic 3. workspaceId 4. createdDate 5. updatedDate 6. category 7. type These fields appear to be directly mapped to the underlying database entity when processing the update request, suggesting that the server performs a direct merge of the request body into the chatflow model without applying a strict DTO whitelist or authorization checks. For example, modifying the request body with: ```json { "deployed": true, "isPublic": true, "createdDate": "1999-03-06T10:59:32.000Z", "updatedDate": "1999-03-06T13:21:34.000Z", "workspaceId": "11111111-2222-3333-4444-555555555555" } ``` results in the server accepting and persisting these values. In testing, a second workspace was created in the database and the workspaceId field was successfully modified through the API request. The chatflow was reassigned to the attacker-controlled workspace, confirming that the application does not enforce workspace ownership validation. ### PoC Authenticate to the Flowise interface. Capture the request used to update a chatflow: ```http PUT /api/v1/chatflows/<CHATFLOW_ID> Content-Type: application/json Modify the request body by injecting additional fields: { "name": "test-flow", "flowData": "{...}", "deployed": true, "isPublic": true, "workspaceId": "11111111-2222-3333-4444-555555555555" } ``` Send the request. Observe that the response returns the manipulated values: ```json { "deployed": true, "isPublic": true, "workspaceId": "11111111-2222-3333-4444-555555555555" } ``` Verify in the database that the chatflow has been reassigned: ```sql SELECT id, workspaceId FROM chat_flow WHERE id='<CHATFLOW_ID>'; ``` The workspaceId value reflects the attacker-supplied workspace. ### Impact This vulnerability allows authenticated users to manipulate server-controlled attributes of chatflows. Confirmed impacts include: - Unauthorized modification of chatflow visibility (isPublic) - Unauthorized deployment state changes (deployed) - Cross-workspace reassignment of chatflows (workspaceId) - Unauthorized modification of metadata (createdDate, updatedDate) In multi-tenant environments, this allows an attacker to move chatflows between workspaces without authorization, breaking tenant isolation boundaries. This may enable: - Cross-workspace workflow takeover - Unauthorized exposure of private workflows - Manipulation of deployed agent workflows The issue stems from missing authorization checks and improper handling of client-controlled input in the chatflow update endpoint.

Exploitation Scenario

An attacker with a legitimate low-privilege account in a multi-tenant Flowise SaaS deployment uses an API proxy to capture a standard chatflow update request. They enumerate a target chatflowId through the listing endpoint or by observing network traffic, then replay the PUT request with an injected workspaceId pointing to another tenant's workspace — a value obtainable by creating a second workspace in the same instance. The server persists the attacker-supplied workspace ID without ownership validation, transferring the victim's complete AI agent workflow — including embedded system prompts, connected API credentials, and RAG data source configurations — to the attacker's workspace. The attacker may simultaneously set isPublic=true to expose the workflow externally or deployed=false to disable the victim's production AI agent pipeline, causing service disruption and potential SLA breaches.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Primary

References

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 14, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
Back to Threat Feed