CVE-2026-46479: Flowise mass assignment

CISO Take

Flowise versions prior to 3.1.2 contain a mass-assignment vulnerability (CWE-915) in its evaluation create and update API endpoints, allowing an authenticated user on a shared instance to inject workspace-scoped parameters into HTTP requests and seize control of evaluations belonging to other workspaces. For organizations running multi-tenant Flowise deployments — common when multiple teams share a single LLM orchestration platform — this represents a horizontal privilege escalation that bypasses tenant isolation entirely, exposing proprietary flow configurations, evaluation datasets, and model benchmarks across organizational boundaries. No CVSS score, EPSS data, or public exploit exists at this time and the vulnerability is not in CISA KEV, but the exploitation class (mass assignment by authenticated user) is trivial to abuse with basic API knowledge. Upgrade to Flowise 3.1.2 immediately and audit evaluation records for cross-workspace anomalies.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High in multi-tenant deployments, Low in single-tenant or self-hosted single-org setups. The vulnerability class (CWE-915 mass assignment) is well understood and requires only a valid account plus knowledge of a target workspace identifier — no special tooling or AI expertise needed. The absence of CVSS/EPSS scores reflects publication recency, not low severity. The fundamental impact is a complete failure of workspace isolation in a platform widely used to build and evaluate production LLM pipelines, making it a meaningful data exposure risk for enterprises sharing Flowise instances.

How does the attack unfold?

Initial Access

Attacker obtains or self-registers a valid account on a shared multi-tenant Flowise instance, gaining authenticated API access.

AML.T0012

Exploitation

Attacker crafts a POST or PUT request to the Flowise evaluation endpoint, injecting a target workspace's identifier via mass assignment to bypass workspace isolation controls.

AML.T0049

Configuration Takeover

Server binds the attacker-supplied workspace ID to the evaluation record, associating the evaluation with the victim workspace and granting the attacker read/write access to that workspace's evaluation data.

AML.T0081

Impact

Attacker exfiltrates or corrupts victim workspace's proprietary LLM flow evaluation configurations and benchmark results, enabling IP theft, compliance audit tampering, or further reconnaissance of the victim's AI pipeline.

AML.T0085

Initial Access

Attacker obtains or self-registers a valid account on a shared multi-tenant Flowise instance, gaining authenticated API access.

AML.T0012

Exploitation

Attacker crafts a POST or PUT request to the Flowise evaluation endpoint, injecting a target workspace's identifier via mass assignment to bypass workspace isolation controls.

AML.T0049

Configuration Takeover

Server binds the attacker-supplied workspace ID to the evaluation record, associating the evaluation with the victim workspace and granting the attacker read/write access to that workspace's evaluation data.

AML.T0081

Impact

Attacker exfiltrates or corrupts victim workspace's proprietary LLM flow evaluation configurations and benchmark results, enabling IP theft, compliance audit tampering, or further reconnaissance of the victim's AI pipeline.

AML.T0085

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade Flowise to version 3.1.2 or later — patch is available and directly addresses the mass-assignment flaw.
Audit evaluation records created or modified during the vulnerable window: query for evaluations where the workspace_id differs from the creating user's expected workspace.
Review application access logs for anomalous POST/PUT requests to evaluation endpoints containing unexpected workspace identifiers.
If immediate upgrade is blocked, restrict Flowise API access to trusted internal networks and reduce the set of authenticated users to those strictly necessary.
For self-hosted PostgreSQL-backed Flowise, apply row-level security policies on the evaluations table as a compensating control.

How is it classified?

Auth Bypass Data Extraction Framework Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

Clause 6.1 - Actions to address risks and opportunities

NIST AI RMF

GOVERN 1.2 - Accountability and transparency

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-46479?

Flowise versions prior to 3.1.2 contain a mass-assignment vulnerability (CWE-915) in its evaluation create and update API endpoints, allowing an authenticated user on a shared instance to inject workspace-scoped parameters into HTTP requests and seize control of evaluations belonging to other workspaces. For organizations running multi-tenant Flowise deployments — common when multiple teams share a single LLM orchestration platform — this represents a horizontal privilege escalation that bypasses tenant isolation entirely, exposing proprietary flow configurations, evaluation datasets, and model benchmarks across organizational boundaries. No CVSS score, EPSS data, or public exploit exists at this time and the vulnerability is not in CISA KEV, but the exploitation class (mass assignment by authenticated user) is trivial to abuse with basic API knowledge. Upgrade to Flowise 3.1.2 immediately and audit evaluation records for cross-workspace anomalies.

Is CVE-2026-46479 actively exploited?

No confirmed active exploitation of CVE-2026-46479 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46479?

1. Upgrade Flowise to version 3.1.2 or later — patch is available and directly addresses the mass-assignment flaw. 2. Audit evaluation records created or modified during the vulnerable window: query for evaluations where the workspace_id differs from the creating user's expected workspace. 3. Review application access logs for anomalous POST/PUT requests to evaluation endpoints containing unexpected workspace identifiers. 4. If immediate upgrade is blocked, restrict Flowise API access to trusted internal networks and reduce the set of authenticated users to those strictly necessary. 5. For self-hosted PostgreSQL-backed Flowise, apply row-level security policies on the evaluations table as a compensating control.

What systems are affected by CVE-2026-46479?

This vulnerability affects the following AI/ML architecture patterns: Multi-tenant LLM orchestration platforms, AI agent evaluation pipelines, Low-code/no-code LLM builders, Shared enterprise AI development environments.

What is the CVSS score for CVE-2026-46479?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Multi-tenant LLM orchestration platformsAI agent evaluation pipelinesLow-code/no-code LLM buildersShared enterprise AI development environments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: Clause 6.1

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker registers a free or low-privilege account on a shared enterprise Flowise instance. Using Burp Suite or curl, they intercept a legitimate evaluation creation request and replay it with a modified request body that includes the workspaceId of a target team (enumerable via Flowise's API or guessable as sequential UUIDs). Due to unvalidated mass assignment on the evaluation model, the server binds the attacker-supplied workspaceId directly to the database record. The attacker's evaluation now appears in the victim workspace, granting them read access to that workspace's evaluation history and the ability to corrupt benchmark results — for example, falsifying pass rates on safety evaluations to undermine compliance reporting.