GHSA-59fh-9f3p-7m39: Flowise: mass assignment bypasses password controls

GHSA-59fh-9f3p-7m39 MEDIUM
Published May 20, 2026
CISO Take

Flowise, a widely deployed open-source AI agent and workflow builder, contains a mass assignment flaw (CWE-915) in its PUT /api/v1/user endpoint that lets any authenticated user directly overwrite their stored password hash — bypassing current password verification, bcrypt re-hashing, policy enforcement, and session invalidation in a single crafted API call. Although an ID check prevents horizontal account takeover, this vulnerability creates a reliable persistence pathway: an adversary with even brief session access (via XSS, JWT token leak, or a shared device) can permanently commandeer the account before the window closes. With 79 historical CVEs in the Flowise npm package and a trivial single-request PoC published in the advisory, any internet-exposed Flowise instance managing LLM API keys, agent configurations, or customer data should be treated as urgently at risk. Upgrade to Flowise 3.1.2 immediately; as an interim control, restrict network access to trusted IP ranges and monitor PUT /api/v1/user traffic for requests that include a 'credential' field without 'oldPassword'.

Sources: GitHub Advisory ATLAS

What is the risk?

Operationally higher risk than the medium CVSS label suggests for AI-centric teams. Exploitation requires only a valid JWT — obtainable through routine web attack vectors (XSS, phishing, credential stuffing) — and a pre-computed bcrypt hash, making the exploitation bar trivially low. The attack is silent: no password policy triggers fire, no session invalidation occurs, and no secondary notification is sent to the account owner. Flowise instances typically hold high-value assets including LLM provider API keys, agent orchestration logic, and RAG data sources, amplifying impact well beyond a standard account compromise. No KEV listing or EPSS data are available, but the published PoC in the advisory effectively eliminates the exploit development barrier for any authenticated attacker.

How does the attack unfold?

Initial Access
Attacker obtains a valid Flowise JWT token via XSS in the chat interface, token interception, phishing, or a shared/compromised device session
AML.T0012
Exploitation
Attacker submits a crafted PUT /api/v1/user request with a self-generated bcrypt hash in the 'credential' field, bypassing all password change security controls at the service layer
AML.T0049
Credential Persistence
Database password hash is silently overwritten with no session invalidation, policy check, or owner notification, granting the attacker durable independent account control
AML.T0106
Impact
Attacker leverages persistent access to harvest LLM provider API keys, exfiltrate data processed by AI agent workflows, and modify pipeline configurations for further exploitation or sabotage
AML.T0083

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm <= 3.1.1 3.1.2

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

6 steps
  1. Patch: upgrade to Flowise 3.1.2 which introduces field allowlisting in the user update endpoint to block mass assignment.

  2. Interim network control: restrict Flowise admin and API access to trusted IP ranges or place behind a VPN to reduce the session-theft surface required for exploitation.

  3. Detection: audit API gateway or web server logs for PUT /api/v1/user requests containing a 'credential' field in the body while absent of 'oldPassword' — this pattern is the attack signature.

  4. Rotate all LLM provider API keys and integration credentials stored in any Flowise instance that may have been exposed.

  5. Force re-authentication for all active Flowise sessions post-patching.

  6. Review Flowise access logs and workflow change history for unexpected account activity or configuration modifications in the period prior to patching.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.2.2 - Information security in AI system development
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-59fh-9f3p-7m39?

Flowise, a widely deployed open-source AI agent and workflow builder, contains a mass assignment flaw (CWE-915) in its PUT /api/v1/user endpoint that lets any authenticated user directly overwrite their stored password hash — bypassing current password verification, bcrypt re-hashing, policy enforcement, and session invalidation in a single crafted API call. Although an ID check prevents horizontal account takeover, this vulnerability creates a reliable persistence pathway: an adversary with even brief session access (via XSS, JWT token leak, or a shared device) can permanently commandeer the account before the window closes. With 79 historical CVEs in the Flowise npm package and a trivial single-request PoC published in the advisory, any internet-exposed Flowise instance managing LLM API keys, agent configurations, or customer data should be treated as urgently at risk. Upgrade to Flowise 3.1.2 immediately; as an interim control, restrict network access to trusted IP ranges and monitor PUT /api/v1/user traffic for requests that include a 'credential' field without 'oldPassword'.

Is GHSA-59fh-9f3p-7m39 actively exploited?

No confirmed active exploitation of GHSA-59fh-9f3p-7m39 has been reported, but organizations should still patch proactively.

How to fix GHSA-59fh-9f3p-7m39?

1. Patch: upgrade to Flowise 3.1.2 which introduces field allowlisting in the user update endpoint to block mass assignment. 2. Interim network control: restrict Flowise admin and API access to trusted IP ranges or place behind a VPN to reduce the session-theft surface required for exploitation. 3. Detection: audit API gateway or web server logs for PUT /api/v1/user requests containing a 'credential' field in the body while absent of 'oldPassword' — this pattern is the attack signature. 4. Rotate all LLM provider API keys and integration credentials stored in any Flowise instance that may have been exposed. 5. Force re-authentication for all active Flowise sessions post-patching. 6. Review Flowise access logs and workflow change history for unexpected account activity or configuration modifications in the period prior to patching.

What systems are affected by GHSA-59fh-9f3p-7m39?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI pipeline management.

What is the CVSS score for GHSA-59fh-9f3p-7m39?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow orchestrationAI pipeline management

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0083 Credentials from AI Agent Configuration
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

### Summary A Mass Assignment vulnerability in the PUT /api/v1/user endpoint allows authenticated users to directly modify restricted user fields, including the credential (password hash), bypassing the intended password change workflow. Because the endpoint forwards the entire request body to the service layer without filtering, an attacker can override the credential field without providing the current password. This bypasses several security protections including: - old password verification - password hashing enforcement - password policy validation - session invalidation on password change While the vulnerability cannot be used to modify other users due to an ID check in the controller, it allows attackers who obtain a temporary session (e.g., via token theft or XSS) to establish persistent account access. ### Details The endpoint **PUT /api/v1/user** allows authenticated users to update their user profile. The controller checks that the authenticated user matches the provided id, preventing direct IDOR: ```typescript const currentUser = req.user const { id } = req.body if (currentUser.id !== id) { throw new InternalFlowiseError(StatusCodes.FORBIDDEN) } ``` However, the controller forwards the entire request body directly to the service layer without filtering: ```typescript const user = await userService.updateUser(req.body) ``` Inside UserService.updateUser, the incoming data is merged into the existing user entity: ```typescript updatedUser = queryRunner.manager.merge(User, oldUserData, newUserData) ``` Because newUserData is derived from req.body and there is no field allowlist, any field present in the User entity may be modified. This includes sensitive fields such as: - credential - tempToken - tokenExpiry - status - email The service implements a secure password change workflow that requires the following fields: ```typescript oldPassword newPassword confirmPassword ``` Example code: ```typescript if (newUserData.oldPassword && newUserData.newPassword && newUserData.confirmPassword) { if (!compareHash(newUserData.oldPassword, oldUserData.credential)) { throw new InternalFlowiseError(StatusCodes.BAD_REQUEST) } newUserData.credential = this.encryptUserCredential(newUserData.newPassword) } ``` However, this logic can be bypassed by directly supplying a credential value in the request body. Because the merge operation applies all fields from newUserData, the supplied credential hash will overwrite the stored password hash. ### PoC **Step 1 - Authenticate** Login as any normal user and obtain a valid JWT token. **POST /api/v1/auth/login** **Step 2 - Generate a password hash** Generate a bcrypt hash for a password you control. Example: bcrypt("attacker_password") Example hash: $2b$10$abc123examplehashvalue... Step 3 - Send crafted update request ```http PUT /api/v1/user Authorization: Bearer <JWT_TOKEN> Content-Type: application/json { "id": "<your-user-id>", "credential": "$2b$10$abc123examplehashvalue..." } ``` Step 4 - Login with attacker password The password hash in the database is replaced by the supplied value. The attacker can now authenticate using: **attacker_password** without ever providing the previous password. ### Impact This vulnerability allows authenticated users to bypass the password change security controls. Security protections that are bypassed include: current password verification password hashing enforcement password policy validation session invalidation on password change Although the controller prevents modification of other users' accounts, the vulnerability enables persistence after account compromise. Example attack scenario: - An attacker temporarily obtains a user's session (XSS, token leak, shared device, etc.) - The attacker sends the crafted update request with a new password hash - The attacker now permanently controls the account - Authentication logic bypass - Privilege persistence after compromise - Weak account recovery guarantees

Exploitation Scenario

An attacker targeting an organization using Flowise to manage AI agent workflows first obtains a valid user JWT through XSS in the Flowise chat interface or a phishing-delivered token from a legitimate user. Using this temporary session, the attacker generates a bcrypt hash for a password under their control and submits a single crafted PUT /api/v1/user request with the 'credential' field set to that hash. No previous password is required; the service layer merges the full request body into the user entity without field filtering, directly overwriting the stored hash. The attacker discards the stolen session and later authenticates with their chosen password, gaining persistent full access to the Flowise instance's LLM API keys, agent configurations, and all data processed by connected AI workflows — with no evidence of the original session theft remaining visible in authentication logs.

Weaknesses (CWE)

CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes: The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

  • [Implementation] If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Source: MITRE CWE corpus.

Timeline

Published
May 20, 2026
Last Modified
May 20, 2026
First Seen
May 20, 2026

Related Vulnerabilities