CVE-2026-46478: Flowise mass-assignment

CISO Take

A mass-assignment flaw in Flowise's DatasetRow API (create/update endpoints) allows any authenticated user to supply a workspaceId field server-side, writing or overwriting dataset rows in workspaces they do not own—effectively bypassing all workspace isolation controls. For teams running Flowise in multi-tenant or shared-team configurations, this means an attacker with a single low-privilege account can access or corrupt datasets belonging to any other workspace on the same instance. While no CVSS score, EPSS data, or active exploitation has been confirmed, the vulnerability class (CWE-915) is trivially exploitable once the API shape is known, and the patched release makes the attack surface public. Upgrade to Flowise 3.1.2 immediately; until patched, restrict the Flowise API to internal networks and audit DatasetRow creation logs for requests where the workspace identifier does not match the authenticated user's workspace.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS is pending, but CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) in a multi-tenant context is a high-severity class: any authenticated user can exploit it with minimal skill using a standard HTTP proxy. Blast radius extends to all workspaces reachable via the API on the same Flowise instance. The absence of a public exploit and confirmed in-the-wild activity caps immediate risk, but the public advisory and patched release make manual exploitation straightforward. Risk is highest in self-hosted enterprise deployments where multiple teams share one Flowise instance and assume workspace boundaries are enforced.

How does the attack unfold?

Initial Access

Attacker authenticates to the Flowise instance with a valid low-privilege account in any workspace, requiring no elevated permissions.

AML.T0012

API Exploitation

Attacker intercepts a DatasetRow API request and replaces the workspaceId field with the UUID of a target workspace, exploiting the mass-assignment flaw.

AML.T0049

Cross-Workspace Write

Server accepts the tampered request without validating workspace ownership, creating or overwriting dataset rows in the victim workspace.

AML.T0099

RAG/Agent Poisoning

Attacker-controlled dataset rows are retrieved during victim workspace RAG queries or agent execution, injecting malicious content into live LLM inference.

AML.T0070

Initial Access

Attacker authenticates to the Flowise instance with a valid low-privilege account in any workspace, requiring no elevated permissions.

AML.T0012

API Exploitation

Attacker intercepts a DatasetRow API request and replaces the workspaceId field with the UUID of a target workspace, exploiting the mass-assignment flaw.

AML.T0049

Cross-Workspace Write

Server accepts the tampered request without validating workspace ownership, creating or overwriting dataset rows in the victim workspace.

AML.T0099

RAG/Agent Poisoning

Attacker-controlled dataset rows are retrieved during victim workspace RAG queries or agent execution, injecting malicious content into live LLM inference.

AML.T0070

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch immediately: upgrade Flowise to version 3.1.2 or later.
Network isolation: until patched, restrict Flowise API access to internal networks or require VPN; do not expose the API publicly.
Detection: audit server-side logs for DatasetRow create/update calls where the workspaceId in the request body differs from the authenticated user's assigned workspace.
Data integrity audit: enumerate all DatasetRow entries across workspaces and cross-reference against expected ownership; flag anomalies for manual review and revert suspect rows.
Principle of least privilege: ensure Flowise accounts are scoped to their own workspace and that admin-level API access is restricted to operators only.

How is it classified?

Auth Bypass Data Leakage Model Poisoning Agent Framework RAG AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0070 - RAG Poisoning AML.T0099 - AI Agent Tool Data Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1.3 - Access control for AI systems

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management

OWASP LLM Top 10

LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-46478?

A mass-assignment flaw in Flowise's DatasetRow API (create/update endpoints) allows any authenticated user to supply a workspaceId field server-side, writing or overwriting dataset rows in workspaces they do not own—effectively bypassing all workspace isolation controls. For teams running Flowise in multi-tenant or shared-team configurations, this means an attacker with a single low-privilege account can access or corrupt datasets belonging to any other workspace on the same instance. While no CVSS score, EPSS data, or active exploitation has been confirmed, the vulnerability class (CWE-915) is trivially exploitable once the API shape is known, and the patched release makes the attack surface public. Upgrade to Flowise 3.1.2 immediately; until patched, restrict the Flowise API to internal networks and audit DatasetRow creation logs for requests where the workspace identifier does not match the authenticated user's workspace.

Is CVE-2026-46478 actively exploited?

No confirmed active exploitation of CVE-2026-46478 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46478?

1. Patch immediately: upgrade Flowise to version 3.1.2 or later. 2. Network isolation: until patched, restrict Flowise API access to internal networks or require VPN; do not expose the API publicly. 3. Detection: audit server-side logs for DatasetRow create/update calls where the workspaceId in the request body differs from the authenticated user's assigned workspace. 4. Data integrity audit: enumerate all DatasetRow entries across workspaces and cross-reference against expected ownership; flag anomalies for manual review and revert suspect rows. 5. Principle of least privilege: ensure Flowise accounts are scoped to their own workspace and that admin-level API access is restricted to operators only.

What systems are affected by CVE-2026-46478?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, RAG pipelines, LLM workflow builders, Multi-tenant AI platforms.

What is the CVSS score for CVE-2026-46478?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Agent frameworksRAG pipelinesLLM workflow buildersMulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0070 RAG Poisoning

AML.T0099 AI Agent Tool Data Poisoning

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.3

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker registers or obtains a low-privilege Flowise account on a target instance. Using a proxy tool, they intercept a legitimate DatasetRow create request and observe that the request body contains a workspaceId field. Through reconnaissance—such as a leaked workspace link, API enumeration, or prior access—they obtain the UUID of a high-value workspace belonging to a security or compliance team. They replay the crafted request with the victim workspaceId, and the server accepts it without validating ownership, inserting an attacker-controlled row into the victim's dataset. If that dataset feeds a RAG pipeline, the attacker's injected document is retrieved during inference, influencing the LLM's responses across the victim workspace without touching the model itself—a stealthy RAG poisoning attack enabled entirely by broken access control.