Flowise, a widely deployed open-source AI agent and workflow builder, contains a mass assignment flaw (CWE-915) in its PUT /api/v1/user endpoint that lets any authenticated user directly overwrite their stored password hash — bypassing current password verification, bcrypt re-hashing, policy enforcement, and session invalidation in a single crafted API call. Although an ID check prevents horizontal account takeover, this vulnerability creates a reliable persistence pathway: an adversary with even brief session access (via XSS, JWT token leak, or a shared device) can permanently commandeer the account before the window closes. With 79 historical CVEs in the Flowise npm package and a trivial single-request PoC published in the advisory, any internet-exposed Flowise instance managing LLM API keys, agent configurations, or customer data should be treated as urgently at risk. Upgrade to Flowise 3.1.2 immediately; as an interim control, restrict network access to trusted IP ranges and monitor PUT /api/v1/user traffic for requests that include a 'credential' field without 'oldPassword'.
What is the risk?
Operationally higher risk than the medium CVSS label suggests for AI-centric teams. Exploitation requires only a valid JWT — obtainable through routine web attack vectors (XSS, phishing, credential stuffing) — and a pre-computed bcrypt hash, making the exploitation bar trivially low. The attack is silent: no password policy triggers fire, no session invalidation occurs, and no secondary notification is sent to the account owner. Flowise instances typically hold high-value assets including LLM provider API keys, agent orchestration logic, and RAG data sources, amplifying impact well beyond a standard account compromise. No KEV listing or EPSS data are available, but the published PoC in the advisory effectively eliminates the exploit development barrier for any authenticated attacker.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | <= 3.1.1 | 3.1.2 |
Do you use Flowise? You're affected.
How severe is it?
What should I do?
6 steps-
Patch: upgrade to Flowise 3.1.2 which introduces field allowlisting in the user update endpoint to block mass assignment.
-
Interim network control: restrict Flowise admin and API access to trusted IP ranges or place behind a VPN to reduce the session-theft surface required for exploitation.
-
Detection: audit API gateway or web server logs for PUT /api/v1/user requests containing a 'credential' field in the body while absent of 'oldPassword' — this pattern is the attack signature.
-
Rotate all LLM provider API keys and integration credentials stored in any Flowise instance that may have been exposed.
-
Force re-authentication for all active Flowise sessions post-patching.
-
Review Flowise access logs and workflow change history for unexpected account activity or configuration modifications in the period prior to patching.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-59fh-9f3p-7m39?
Flowise, a widely deployed open-source AI agent and workflow builder, contains a mass assignment flaw (CWE-915) in its PUT /api/v1/user endpoint that lets any authenticated user directly overwrite their stored password hash — bypassing current password verification, bcrypt re-hashing, policy enforcement, and session invalidation in a single crafted API call. Although an ID check prevents horizontal account takeover, this vulnerability creates a reliable persistence pathway: an adversary with even brief session access (via XSS, JWT token leak, or a shared device) can permanently commandeer the account before the window closes. With 79 historical CVEs in the Flowise npm package and a trivial single-request PoC published in the advisory, any internet-exposed Flowise instance managing LLM API keys, agent configurations, or customer data should be treated as urgently at risk. Upgrade to Flowise 3.1.2 immediately; as an interim control, restrict network access to trusted IP ranges and monitor PUT /api/v1/user traffic for requests that include a 'credential' field without 'oldPassword'.
Is GHSA-59fh-9f3p-7m39 actively exploited?
No confirmed active exploitation of GHSA-59fh-9f3p-7m39 has been reported, but organizations should still patch proactively.
How to fix GHSA-59fh-9f3p-7m39?
1. Patch: upgrade to Flowise 3.1.2 which introduces field allowlisting in the user update endpoint to block mass assignment. 2. Interim network control: restrict Flowise admin and API access to trusted IP ranges or place behind a VPN to reduce the session-theft surface required for exploitation. 3. Detection: audit API gateway or web server logs for PUT /api/v1/user requests containing a 'credential' field in the body while absent of 'oldPassword' — this pattern is the attack signature. 4. Rotate all LLM provider API keys and integration credentials stored in any Flowise instance that may have been exposed. 5. Force re-authentication for all active Flowise sessions post-patching. 6. Review Flowise access logs and workflow change history for unexpected account activity or configuration modifications in the period prior to patching.
What systems are affected by GHSA-59fh-9f3p-7m39?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI pipeline management.
What is the CVSS score for GHSA-59fh-9f3p-7m39?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0083 Credentials from AI Agent Configuration AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary A Mass Assignment vulnerability in the PUT /api/v1/user endpoint allows authenticated users to directly modify restricted user fields, including the credential (password hash), bypassing the intended password change workflow. Because the endpoint forwards the entire request body to the service layer without filtering, an attacker can override the credential field without providing the current password. This bypasses several security protections including: - old password verification - password hashing enforcement - password policy validation - session invalidation on password change While the vulnerability cannot be used to modify other users due to an ID check in the controller, it allows attackers who obtain a temporary session (e.g., via token theft or XSS) to establish persistent account access. ### Details The endpoint **PUT /api/v1/user** allows authenticated users to update their user profile. The controller checks that the authenticated user matches the provided id, preventing direct IDOR: ```typescript const currentUser = req.user const { id } = req.body if (currentUser.id !== id) { throw new InternalFlowiseError(StatusCodes.FORBIDDEN) } ``` However, the controller forwards the entire request body directly to the service layer without filtering: ```typescript const user = await userService.updateUser(req.body) ``` Inside UserService.updateUser, the incoming data is merged into the existing user entity: ```typescript updatedUser = queryRunner.manager.merge(User, oldUserData, newUserData) ``` Because newUserData is derived from req.body and there is no field allowlist, any field present in the User entity may be modified. This includes sensitive fields such as: - credential - tempToken - tokenExpiry - status - email The service implements a secure password change workflow that requires the following fields: ```typescript oldPassword newPassword confirmPassword ``` Example code: ```typescript if (newUserData.oldPassword && newUserData.newPassword && newUserData.confirmPassword) { if (!compareHash(newUserData.oldPassword, oldUserData.credential)) { throw new InternalFlowiseError(StatusCodes.BAD_REQUEST) } newUserData.credential = this.encryptUserCredential(newUserData.newPassword) } ``` However, this logic can be bypassed by directly supplying a credential value in the request body. Because the merge operation applies all fields from newUserData, the supplied credential hash will overwrite the stored password hash. ### PoC **Step 1 - Authenticate** Login as any normal user and obtain a valid JWT token. **POST /api/v1/auth/login** **Step 2 - Generate a password hash** Generate a bcrypt hash for a password you control. Example: bcrypt("attacker_password") Example hash: $2b$10$abc123examplehashvalue... Step 3 - Send crafted update request ```http PUT /api/v1/user Authorization: Bearer <JWT_TOKEN> Content-Type: application/json { "id": "<your-user-id>", "credential": "$2b$10$abc123examplehashvalue..." } ``` Step 4 - Login with attacker password The password hash in the database is replaced by the supplied value. The attacker can now authenticate using: **attacker_password** without ever providing the previous password. ### Impact This vulnerability allows authenticated users to bypass the password change security controls. Security protections that are bypassed include: current password verification password hashing enforcement password policy validation session invalidation on password change Although the controller prevents modification of other users' accounts, the vulnerability enables persistence after account compromise. Example attack scenario: - An attacker temporarily obtains a user's session (XSS, token leak, shared device, etc.) - The attacker sends the crafted update request with a new password hash - The attacker now permanently controls the account - Authentication logic bypass - Privilege persistence after compromise - Weak account recovery guarantees
Exploitation Scenario
An attacker targeting an organization using Flowise to manage AI agent workflows first obtains a valid user JWT through XSS in the Flowise chat interface or a phishing-delivered token from a legitimate user. Using this temporary session, the attacker generates a bcrypt hash for a password under their control and submits a single crafted PUT /api/v1/user request with the 'credential' field set to that hash. No previous password is required; the service layer merges the full request body into the user entity without field filtering, directly overwriting the stored hash. The attacker discards the stolen session and later authenticates with their chosen password, gaining persistent full access to the Flowise instance's LLM API keys, agent configurations, and all data processed by connected AI workflows — with no evidence of the original session theft remaining visible in authentication logs.
Weaknesses (CWE)
CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes: The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
- [Implementation] If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
- [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2025-71338 10.0 Flowise: unauthenticated file write enables RCE
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise