CVE-2026-56276: Flowise mass assignment

CISO Take

Flowise before 3.1.2 contains a mass assignment flaw in its user management API (PUT /api/v1/user) that lets any authenticated user overwrite password hashes directly, bypassing server-side verification and session invalidation — converting a temporary account compromise into silent, permanent persistence. Flowise acts as the control plane for AI agent workflows and typically holds API keys to LLMs, vector databases, and external integrations, making persistent access to it high-impact even though no public exploit or CISA KEV listing exists today. With 94 CVEs already attributed to this package, a systemic security maturity problem warrants elevated scrutiny and faster patch cycles than the severity score alone suggests. Upgrade to Flowise 3.1.2 immediately; if patching is delayed, restrict the PUT /api/v1/user endpoint to admin IP ranges via firewall or WAF, rotate all API credentials stored in the platform, and audit user records for credential changes made without a corresponding verification event.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium severity rating understates contextual risk for AI-heavy environments. Authentication is required, which limits the attack surface, but exploitation is trivial — any authenticated session (including one obtained briefly via phishing or credential stuffing) is sufficient to establish a permanent foothold. Flowise deployments that are internet-exposed, shared across teams, or connected to production LLM APIs face the highest blast radius. The 94-CVE history of this package signals a pattern of weak security practices that historically accelerates targeted exploitation once PoC code surfaces.

How does the attack unfold?

Initial Access

Attacker obtains a temporary authenticated session in Flowise via phishing, credential stuffing, or a secondary vulnerability.

AML.T0012

Exploitation

Attacker sends a crafted PUT /api/v1/user request embedding a custom password hash, exploiting the mass assignment flaw (CWE-915) to bypass server-side credential verification.

AML.T0106

Persistence

Modified credentials are committed without session invalidation, granting the attacker a permanent independent account that survives original session expiry or security team revocation.

AML.T0091

Impact

Attacker maintains ongoing access to Flowise's AI workflow control plane, exfiltrating stored LLM API keys, RAG data sources, and workflow logic while pivoting to connected downstream systems via agent tool integrations.

AML.T0083

Initial Access

Attacker obtains a temporary authenticated session in Flowise via phishing, credential stuffing, or a secondary vulnerability.

AML.T0012

Exploitation

Attacker sends a crafted PUT /api/v1/user request embedding a custom password hash, exploiting the mass assignment flaw (CWE-915) to bypass server-side credential verification.

AML.T0106

Persistence

Modified credentials are committed without session invalidation, granting the attacker a permanent independent account that survives original session expiry or security team revocation.

AML.T0091

Impact

Attacker maintains ongoing access to Flowise's AI workflow control plane, exfiltrating stored LLM API keys, RAG data sources, and workflow logic while pivoting to connected downstream systems via agent tool integrations.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch
Flowise	npm	—	No patch

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch: Upgrade Flowise to version 3.1.2 or later.
Network control: If patching is delayed, firewall or WAF-restrict PUT /api/v1/user to administrator IP ranges only.
Audit: Query the users table for rows where the credential hash was updated without a corresponding password-reset verification event in audit logs; flag any such changes after the instance was first deployed.
Rotate credentials: If exploitation is suspected, rotate all API keys stored in Flowise (LLM providers, vector DBs, external integrations) before re-securing the platform.
Detection: Alert on PUT /api/v1/user requests that include a credential or password_hash field in the payload — legitimate Flowise UI flows do not submit raw hashes.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0091 - Use Alternate Authentication Material AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Access control to AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-56276?

Flowise before 3.1.2 contains a mass assignment flaw in its user management API (PUT /api/v1/user) that lets any authenticated user overwrite password hashes directly, bypassing server-side verification and session invalidation — converting a temporary account compromise into silent, permanent persistence. Flowise acts as the control plane for AI agent workflows and typically holds API keys to LLMs, vector databases, and external integrations, making persistent access to it high-impact even though no public exploit or CISA KEV listing exists today. With 94 CVEs already attributed to this package, a systemic security maturity problem warrants elevated scrutiny and faster patch cycles than the severity score alone suggests. Upgrade to Flowise 3.1.2 immediately; if patching is delayed, restrict the PUT /api/v1/user endpoint to admin IP ranges via firewall or WAF, rotate all API credentials stored in the platform, and audit user records for credential changes made without a corresponding verification event.

Is CVE-2026-56276 actively exploited?

No confirmed active exploitation of CVE-2026-56276 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56276?

1. Patch: Upgrade Flowise to version 3.1.2 or later. 2. Network control: If patching is delayed, firewall or WAF-restrict PUT /api/v1/user to administrator IP ranges only. 3. Audit: Query the users table for rows where the credential hash was updated without a corresponding password-reset verification event in audit logs; flag any such changes after the instance was first deployed. 4. Rotate credentials: If exploitation is suspected, rotate all API keys stored in Flowise (LLM providers, vector DBs, external integrations) before re-securing the platform. 5. Detection: Alert on PUT /api/v1/user requests that include a credential or password_hash field in the payload — legitimate Flowise UI flows do not submit raw hashes.

What systems are affected by CVE-2026-56276?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration, RAG pipelines, Multi-tool agent deployments, Low-code AI automation platforms.

What is the CVSS score for CVE-2026-56276?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM workflow orchestrationRAG pipelinesMulti-tool agent deploymentsLow-code AI automation platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0091 Use Alternate Authentication Material

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.

Exploitation Scenario

An attacker gains temporary authenticated access to a Flowise instance — via phishing a developer's credentials, exploiting a reused password, or abusing a short-lived session from a shared demo deployment. Rather than operating only within that session's lifetime, the attacker immediately sends a crafted PUT /api/v1/user request containing a pre-computed bcrypt hash of their chosen password. Flowise's API accepts the hash field without invoking the normal password-change verification flow and without invalidating existing sessions. The attacker's chosen password is now committed. When the original compromised session expires or is revoked by the security team in response to an alert, the attacker simply logs in using their new credentials — maintaining a persistent, independent foothold into the AI agent control plane, all connected LLM API keys, and every downstream system reachable through the agent's tool integrations.

Weaknesses (CWE)

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Primary CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes: The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

[Implementation] If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Source: MITRE CWE corpus.