CVE-2026-46480: Flowise mass-assignment

CISO Take

A mass-assignment flaw in Flowise's evaluator create and update API endpoints allows any authenticated user to inject arbitrary workspace ownership attributes into their requests, enabling horizontal privilege escalation across tenant boundaries without any elevated permissions. In multi-tenant Flowise deployments — the dominant pattern in enterprise and MSP environments — this means a low-privilege attacker in one workspace can silently seize control of evaluator objects in any other workspace, potentially injecting malicious evaluation logic into other tenants' LLM agent pipelines. No public exploit code or active exploitation has been confirmed and this CVE was published today with no EPSS data yet, but the attack surface is trivial: it requires only a valid account and a crafted HTTP request body with no AI-specific knowledge. Organizations running Flowise below version 3.1.2 should upgrade immediately; if patching is blocked, restrict evaluator API endpoints to trusted networks and audit evaluator ownership records for unexpected workspace attribute changes.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

MEDIUM-HIGH for any multi-tenant or multi-user Flowise deployment. Authentication is required, which prevents unauthenticated mass exploitation, but in shared SaaS-style instances every tenant becomes a potential attacker against all others. CWE-915 mass assignment combined with cross-workspace authorization bypass in an AI agent orchestration platform warrants elevated urgency beyond a standard web API bug — evaluators directly gate LLM pipeline quality and safety decisions. The exploitation pattern is trivially reproducible by any developer-level user with HTTP tooling, requiring no specialized AI or security expertise.

How does the attack unfold?

Initial Access

Attacker authenticates to a Flowise instance using any valid user account in any tenant workspace, requiring no elevated privileges.

AML.T0012

API Exploitation

Attacker crafts a POST or PUT request to the evaluator endpoint injecting an arbitrary target workspaceId in the JSON body, which the server accepts without ownership validation.

AML.T0049

Cross-Workspace Takeover

Server persists the attacker-supplied workspace attribute, granting the attacker ownership and write control over an evaluator object in the victim workspace.

AML.T0081

Pipeline Integrity Impact

Attacker modifies the hijacked evaluator's scoring logic to suppress safety and quality gates on the victim workspace's LLM flows, or reads evaluation history to exfiltrate flow topology and behavioral data.

AML.T0053

Initial Access

Attacker authenticates to a Flowise instance using any valid user account in any tenant workspace, requiring no elevated privileges.

AML.T0012

API Exploitation

Attacker crafts a POST or PUT request to the evaluator endpoint injecting an arbitrary target workspaceId in the JSON body, which the server accepts without ownership validation.

AML.T0049

Cross-Workspace Takeover

Server persists the attacker-supplied workspace attribute, granting the attacker ownership and write control over an evaluator object in the victim workspace.

AML.T0081

Pipeline Integrity Impact

Attacker modifies the hijacked evaluator's scoring logic to suppress safety and quality gates on the victim workspace's LLM flows, or reads evaluation history to exfiltrate flow topology and behavioral data.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Upgrade Flowise to version 3.1.2 immediately — the patch is available at the linked release.
If immediate patching is not feasible, place a reverse proxy ACL in front of POST /api/v1/evaluators and PUT /api/v1/evaluators/:id to block requests from non-admin roles.
Audit the evaluators table in your Flowise database for rows where workspace_id or owner fields were modified recently and do not match the authenticated user's workspace.
Review application access logs for evaluator endpoint calls containing workspace or owner attributes in the request body from users outside the target workspace.
Enforce workspace-level network segmentation so the Flowise API is not reachable from cross-tenant client contexts.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1.2 - Segregation of duties

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risk

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-46480?

A mass-assignment flaw in Flowise's evaluator create and update API endpoints allows any authenticated user to inject arbitrary workspace ownership attributes into their requests, enabling horizontal privilege escalation across tenant boundaries without any elevated permissions. In multi-tenant Flowise deployments — the dominant pattern in enterprise and MSP environments — this means a low-privilege attacker in one workspace can silently seize control of evaluator objects in any other workspace, potentially injecting malicious evaluation logic into other tenants' LLM agent pipelines. No public exploit code or active exploitation has been confirmed and this CVE was published today with no EPSS data yet, but the attack surface is trivial: it requires only a valid account and a crafted HTTP request body with no AI-specific knowledge. Organizations running Flowise below version 3.1.2 should upgrade immediately; if patching is blocked, restrict evaluator API endpoints to trusted networks and audit evaluator ownership records for unexpected workspace attribute changes.

Is CVE-2026-46480 actively exploited?

No confirmed active exploitation of CVE-2026-46480 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46480?

1. Upgrade Flowise to version 3.1.2 immediately — the patch is available at the linked release. 2. If immediate patching is not feasible, place a reverse proxy ACL in front of POST /api/v1/evaluators and PUT /api/v1/evaluators/:id to block requests from non-admin roles. 3. Audit the evaluators table in your Flowise database for rows where workspace_id or owner fields were modified recently and do not match the authenticated user's workspace. 4. Review application access logs for evaluator endpoint calls containing workspace or owner attributes in the request body from users outside the target workspace. 5. Enforce workspace-level network segmentation so the Flowise API is not reachable from cross-tenant client contexts.

What systems are affected by CVE-2026-46480?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM flow builders, multi-tenant AI platforms.

What is the CVSS score for CVE-2026-46480?

CVE-2026-46480 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM flow buildersmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.2

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker holding a standard user account in Workspace A opens the Flowise API and sends a crafted POST to /api/v1/evaluators with a JSON body that includes a workspaceId field pointing to Workspace B. Because the endpoint fails to strip or validate ownership attributes before persistence, the server creates an evaluator owned by Workspace B under the attacker's control. The attacker then issues a PUT to that evaluator ID, modifying its scoring logic to always return passing evaluations — effectively disabling safety and quality gates on every LLM flow in Workspace B without triggering any access-denied error or audit alert visible to Workspace B's administrators.