AI Threat Alert

CVE-2026-46477: Flowise: mass-assignment cross-workspace dataset takeover

AWAITING NVD
Published June 8, 2026
CISO Take

Flowise, a widely-deployed LLM flow builder, contains a mass-assignment flaw (CWE-915) in its dataset create and update API endpoints that allows an authenticated attacker to manipulate workspace identifiers and take over datasets belonging to other tenants. In shared or multi-tenant deployments—the predominant enterprise pattern—any authenticated user can access, modify, or exfiltrate RAG knowledge bases, training datasets, and LLM flow configurations owned by other workspaces without elevated privileges or user interaction. No CVSS score has been assigned and no public exploit or CISA KEV listing exists, but the vulnerability class is straightforward to exploit with only a valid session token. Upgrade all Flowise instances to 3.1.2 immediately and audit dataset API access logs for anomalous cross-workspace create and update operations.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High risk pending formal CVSS assignment. CWE-915 mass-assignment enabling cross-workspace data access in a multi-tenant AI platform represents a serious confidentiality and integrity failure. Exploitation requires only a valid authenticated session—a low bar in any shared Flowise deployment—with no additional privileges, user interaction, or network positioning needed. Blast radius spans all datasets across all workspaces on a given instance, potentially exposing proprietary RAG content, fine-tuning corpora, and embedded LLM system prompts. Single-tenant self-hosted deployments face lower but non-zero risk from insider threats.

How does the attack unfold?

Initial Access
Attacker obtains a valid account in a shared Flowise instance via self-registration or compromised credentials, gaining authenticated API access.
AML.T0012
API Exploitation
Attacker crafts a dataset create or update API request with a manipulated workspace identifier in the request body, exploiting the mass-assignment flaw to bypass tenant isolation.
AML.T0049
AI Artifact Collection
With cross-workspace access established, attacker reads and downloads RAG knowledge bases, LLM flow configurations, and training datasets from the targeted workspace.
AML.T0035
Exfiltration or Data Poisoning
Attacker exfiltrates proprietary dataset contents or overwrites them with poisoned data that propagates silently into production LLM flows served by the victim workspace.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps

  1. Upgrade Flowise to version 3.1.2 or later—the only confirmed remediation.

  2. If immediate upgrade is blocked, restrict dataset API endpoints to trusted IP ranges or deploy a WAF rule blocking workspace-ID parameter manipulation in request bodies.

  3. Audit existing dataset access logs for create and update API calls where the workspace attribute in the request body differs from the authenticated user's assigned workspace.

  4. In shared deployments, consider temporarily suspending dataset creation and update endpoints until patching is complete.

  5. Post-patch, review all datasets for unauthorized modifications introduced before the fix was applied.

How is it classified?

Auth Bypass Data Extraction Data Leakage Agent Framework RAG AML.T0012 AML.T0025 AML.T0035 AML.T0049 AML.T0085

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 10 - Data and data governance
ISO 42001
A.6.1.3 - AI data access control
NIST AI RMF
GOVERN 6.2 - Policies and procedures for AI data protection
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-46477?

Flowise, a widely-deployed LLM flow builder, contains a mass-assignment flaw (CWE-915) in its dataset create and update API endpoints that allows an authenticated attacker to manipulate workspace identifiers and take over datasets belonging to other tenants. In shared or multi-tenant deployments—the predominant enterprise pattern—any authenticated user can access, modify, or exfiltrate RAG knowledge bases, training datasets, and LLM flow configurations owned by other workspaces without elevated privileges or user interaction. No CVSS score has been assigned and no public exploit or CISA KEV listing exists, but the vulnerability class is straightforward to exploit with only a valid session token. Upgrade all Flowise instances to 3.1.2 immediately and audit dataset API access logs for anomalous cross-workspace create and update operations.

Is CVE-2026-46477 actively exploited?

No confirmed active exploitation of CVE-2026-46477 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46477?

1. Upgrade Flowise to version 3.1.2 or later—the only confirmed remediation. 2. If immediate upgrade is blocked, restrict dataset API endpoints to trusted IP ranges or deploy a WAF rule blocking workspace-ID parameter manipulation in request bodies. 3. Audit existing dataset access logs for create and update API calls where the workspace attribute in the request body differs from the authenticated user's assigned workspace. 4. In shared deployments, consider temporarily suspending dataset creation and update endpoints until patching is complete. 5. Post-patch, review all datasets for unauthorized modifications introduced before the fix was applied.

What systems are affected by CVE-2026-46477?

This vulnerability affects the following AI/ML architecture patterns: LLM flow builders, RAG pipelines, agent frameworks, multi-tenant AI platforms.

What is the CVSS score for CVE-2026-46477?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

LLM flow buildersRAG pipelinesagent frameworksmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application
AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 10
ISO 42001: A.6.1.3
NIST AI RMF: GOVERN 6.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker registers or compromises a legitimate account on a shared Flowise instance. Observing the dataset create endpoint (e.g., POST /api/v1/datasets), they identify that the workspace ID is accepted as a user-controlled body parameter due to the mass-assignment flaw. By replacing the workspace ID with a targeted workspace's identifier—enumerated from API responses or inferred from sequential patterns—the attacker creates or updates a dataset attributed to the victim workspace. This grants persistent read and write access to the victim's datasets, which may include proprietary customer data used in RAG pipelines or LLM system prompt templates, all accessible via the standard Flowise interface under the attacker's session.

Weaknesses (CWE)

CWE-915 Primary

References

Timeline

Published
June 8, 2026
Last Modified
June 9, 2026
First Seen
June 8, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
Back to Threat Feed