CVE-2026-46476: Flowise mass assignment

CISO Take

A mass assignment vulnerability (CWE-915) in Flowise's CustomTemplate endpoints allows any authenticated user to inject a foreign workspaceId during template create or update operations, breaking multi-tenant isolation and granting read/write access to another workspace's LLM flow templates. Flowise templates routinely embed API keys for OpenAI, Anthropic, and other LLM providers alongside system prompts and tool definitions, making this a potential pivot to credential theft and AI agent manipulation across tenant boundaries. No CVSS score or public exploit exists yet, but the attack requires only a valid account and crafted HTTP parameters — well within reach of any insider, compromised credential, or trial user on a shared instance. Upgrade to Flowise 3.1.2 immediately; if patching is delayed, restrict Flowise network access to trusted subnets and audit recent CustomTemplate API calls for workspace parameter manipulation.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High in any multi-workspace Flowise deployment. The bar for exploitation is low — a valid account suffices, no admin privileges required — but impact depends on what secrets are embedded in cross-workspace templates. Organizations using Flowise for multi-tenant LLM delivery to customers or departments face a hard tenancy boundary failure. No KEV listing, no known public exploit, and no EPSS data are available, which tempers immediate urgency, but the attack surface is broad given Flowise's adoption in enterprise LLM orchestration.

How does the attack unfold?

Initial Access

Attacker obtains a valid low-privilege Flowise account — via registration, credential compromise, or an existing trial — in a multi-workspace instance.

AML.T0012

Exploitation

Attacker crafts a POST or PUT request to the CustomTemplate endpoint injecting a workspaceId parameter belonging to the target workspace, bypassing ownership validation via mass assignment.

AML.T0049

Configuration Discovery

With ownership of the hijacked template, attacker reads full flow configuration including embedded LLM API keys, system prompts, and tool/plugin definitions from the victim workspace.

AML.T0084

Impact

Attacker exfiltrates LLM provider credentials and proprietary prompts, or overwrites the template to inject malicious tool invocations that manipulate AI agent behavior for all users in the victim workspace.

AML.T0081

Initial Access

Attacker obtains a valid low-privilege Flowise account — via registration, credential compromise, or an existing trial — in a multi-workspace instance.

AML.T0012

Exploitation

Attacker crafts a POST or PUT request to the CustomTemplate endpoint injecting a workspaceId parameter belonging to the target workspace, bypassing ownership validation via mass assignment.

AML.T0049

Configuration Discovery

With ownership of the hijacked template, attacker reads full flow configuration including embedded LLM API keys, system prompts, and tool/plugin definitions from the victim workspace.

AML.T0084

Impact

Attacker exfiltrates LLM provider credentials and proprietary prompts, or overwrites the template to inject malicious tool invocations that manipulate AI agent behavior for all users in the victim workspace.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch immediately: upgrade all Flowise instances to version 3.1.2.
If patching is delayed, restrict Flowise to trusted internal networks via firewall rules and disable external access.
Audit HTTP logs for CustomTemplate POST/PUT requests containing workspaceId values that differ from the authenticated user's assigned workspace — this is the primary exploitation indicator.
Rotate all API keys embedded in Flowise templates across every workspace as a precautionary credential hygiene step.
Review CustomTemplate ownership history for anomalous cross-workspace assignments since the affected version was first deployed in your environment.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.3 - Access control and segregation of duties in AI systems

NIST AI RMF

GOVERN-6.2 - Organizational risk management for shared AI infrastructure

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-46476?

A mass assignment vulnerability (CWE-915) in Flowise's CustomTemplate endpoints allows any authenticated user to inject a foreign workspaceId during template create or update operations, breaking multi-tenant isolation and granting read/write access to another workspace's LLM flow templates. Flowise templates routinely embed API keys for OpenAI, Anthropic, and other LLM providers alongside system prompts and tool definitions, making this a potential pivot to credential theft and AI agent manipulation across tenant boundaries. No CVSS score or public exploit exists yet, but the attack requires only a valid account and crafted HTTP parameters — well within reach of any insider, compromised credential, or trial user on a shared instance. Upgrade to Flowise 3.1.2 immediately; if patching is delayed, restrict Flowise network access to trusted subnets and audit recent CustomTemplate API calls for workspace parameter manipulation.

Is CVE-2026-46476 actively exploited?

No confirmed active exploitation of CVE-2026-46476 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46476?

1. Patch immediately: upgrade all Flowise instances to version 3.1.2. 2. If patching is delayed, restrict Flowise to trusted internal networks via firewall rules and disable external access. 3. Audit HTTP logs for CustomTemplate POST/PUT requests containing workspaceId values that differ from the authenticated user's assigned workspace — this is the primary exploitation indicator. 4. Rotate all API keys embedded in Flowise templates across every workspace as a precautionary credential hygiene step. 5. Review CustomTemplate ownership history for anomalous cross-workspace assignments since the affected version was first deployed in your environment.

What systems are affected by CVE-2026-46476?

This vulnerability affects the following AI/ML architecture patterns: multi-tenant LLM orchestration platforms, no-code/low-code AI agent builders, agent frameworks, enterprise LLM workflow deployments.

What is the CVSS score for CVE-2026-46476?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

multi-tenant LLM orchestration platformsno-code/low-code AI agent buildersagent frameworksenterprise LLM workflow deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.3

NIST AI RMF: GOVERN-6.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker registers or compromises a low-privilege Flowise account in workspace A of a shared enterprise instance. They intercept a legitimate CustomTemplate create request and observe the JSON body structure. They then craft a new POST to /api/v1/custom-templates with a workspaceId field set to the ID of workspace B — a separate team or customer tenant. Because the endpoint applies mass assignment without validating workspace membership, the server creates the template under workspace B's ownership. The attacker can then enumerate workspace B's templates, extract embedded OpenAI API keys and system prompts, or overwrite a production template to inject malicious tool invocations that execute on behalf of workspace B's users — effectively poisoning that tenant's AI agent without their knowledge.