CVE-2026-46475: Flowise mass-assignment

CISO Take

Flowise before version 3.1.2 contains a mass-assignment vulnerability (CWE-915) in its assistant create and update API endpoints, allowing an authenticated attacker in one workspace to inject unauthorized ownership parameters and seize control of AI assistants belonging to a different workspace. For organizations running multi-tenant Flowise deployments — a common pattern when multiple teams or customers share a single LLM orchestration instance — this means a low-privileged user can hijack AI agents that may be configured with sensitive system prompts, connected external tool credentials, and privileged database access. No CVSS score or EPSS data is available at publication time and the vulnerability is absent from CISA KEV, but CWE-915 mass-assignment exploits are well-understood and trivially reproducible with standard API fuzzing tools once the endpoint structure is known. Upgrade to Flowise 3.1.2 immediately; if patching is delayed, restrict assistant create and update endpoints to trusted internal networks and audit existing assistant workspace assignments for anomalous cross-workspace ownership.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High in multi-tenant deployments. The mass-assignment flaw (CWE-915) enables horizontal privilege escalation across workspace boundaries requiring only valid authentication — no elevated internal privileges needed. The attack surface is proportional to how many workspaces share the instance and how sensitive the AI assistant configurations are. Assistants connected to external APIs, code interpreters, or databases represent the highest-value takeover targets. Single-tenant or isolated single-user self-hosted instances face materially lower risk but should still patch given the ease of exploitation and the absence of a known workaround short of network isolation.

How does the attack unfold?

Authentication

Attacker authenticates to a shared Flowise instance with legitimate credentials for their own workspace, obtaining a valid session token.

AML.T0012

API Exploitation

Attacker crafts a mass-assignment payload targeting the assistant create or update endpoint, injecting a target workspace's ID to override ownership validation on the server.

AML.T0049

Agent Takeover

Flowise processes the request without validating workspace ownership, persisting the assistant configuration under attacker control in the target workspace.

AML.T0081

Credential and Config Exfiltration

Attacker reads the hijacked assistant's full configuration, extracting system prompts, connected tool definitions, and embedded API credentials to enable further lateral movement.

AML.T0083

Authentication

Attacker authenticates to a shared Flowise instance with legitimate credentials for their own workspace, obtaining a valid session token.

AML.T0012

API Exploitation

Attacker crafts a mass-assignment payload targeting the assistant create or update endpoint, injecting a target workspace's ID to override ownership validation on the server.

AML.T0049

Agent Takeover

Flowise processes the request without validating workspace ownership, persisting the assistant configuration under attacker control in the target workspace.

AML.T0081

Credential and Config Exfiltration

Attacker reads the hijacked assistant's full configuration, extracting system prompts, connected tool definitions, and embedded API credentials to enable further lateral movement.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Immediate: Upgrade Flowise to version 3.1.2 or later — the patch is available at the linked GitHub release.
If patching is delayed: implement network-layer ACLs restricting access to Flowise assistant create/update API endpoints to trusted internal subnets only.
Audit existing assistant configurations for unexpected workspace ID assignments — cross-reference assistant ownership records against expected workspace membership lists.
Review any assistants with access to sensitive external tools (APIs, databases, code execution) for unauthorized modification since deployment of the affected version.
Treat any pre-3.1.2 multi-tenant Flowise instance as potentially compromised until audited; rotate API keys and credentials stored in or accessible through assistant configurations as a precaution.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

Clause 6.1 - Actions to address AI risks

NIST AI RMF

MANAGE 2.2 - Mechanisms exist to maintain AI system integrity

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-46475?

Flowise before version 3.1.2 contains a mass-assignment vulnerability (CWE-915) in its assistant create and update API endpoints, allowing an authenticated attacker in one workspace to inject unauthorized ownership parameters and seize control of AI assistants belonging to a different workspace. For organizations running multi-tenant Flowise deployments — a common pattern when multiple teams or customers share a single LLM orchestration instance — this means a low-privileged user can hijack AI agents that may be configured with sensitive system prompts, connected external tool credentials, and privileged database access. No CVSS score or EPSS data is available at publication time and the vulnerability is absent from CISA KEV, but CWE-915 mass-assignment exploits are well-understood and trivially reproducible with standard API fuzzing tools once the endpoint structure is known. Upgrade to Flowise 3.1.2 immediately; if patching is delayed, restrict assistant create and update endpoints to trusted internal networks and audit existing assistant workspace assignments for anomalous cross-workspace ownership.

Is CVE-2026-46475 actively exploited?

No confirmed active exploitation of CVE-2026-46475 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46475?

1. Immediate: Upgrade Flowise to version 3.1.2 or later — the patch is available at the linked GitHub release. 2. If patching is delayed: implement network-layer ACLs restricting access to Flowise assistant create/update API endpoints to trusted internal subnets only. 3. Audit existing assistant configurations for unexpected workspace ID assignments — cross-reference assistant ownership records against expected workspace membership lists. 4. Review any assistants with access to sensitive external tools (APIs, databases, code execution) for unauthorized modification since deployment of the affected version. 5. Treat any pre-3.1.2 multi-tenant Flowise instance as potentially compromised until audited; rotate API keys and credentials stored in or accessible through assistant configurations as a precaution.

What systems are affected by CVE-2026-46475?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, multi-tenant AI platforms.

What is the CVSS score for CVE-2026-46475?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow orchestrationmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: Clause 6.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker with a legitimate Flowise account in Workspace A intercepts a valid assistant create or update API request using a proxy tool. By appending or overriding ownership or workspace assignment fields in the JSON body — fields that the backend processes without validating the requester's authority over the target workspace due to mass-assignment — the attacker redirects the assistant record into Workspace B. The attacker now controls a Workspace B assistant that may expose privileged system prompts, embedded tool credentials, or connected database schemas. The attacker can then read exfiltrated configuration data, modify the assistant's behavior to leak information from Workspace B users interacting with it, or invoke the hijacked agent's connected tools with attacker-controlled inputs to pivot into downstream systems.