AI Threat Alert
GHSA-7j65-65cr-6644: Flowise: mass assignment breaks cross-workspace isolation
GHSA-7j65-65cr-6644 HIGHFlowise versions up to 3.1.1 contain a mass assignment vulnerability in the DatasetRow service where Object.assign() copies client-supplied fields—including workspaceId and id—directly onto persisted entities with no allowlist, completely breaking multi-tenant workspace isolation. Any authenticated user can silently transfer dataset rows into arbitrary workspaces by including a foreign workspaceId in a standard PUT request body, with workspace UUIDs trivially enumerable from existing API responses—meaning exploitation requires zero specialized knowledge beyond a valid session. This is the same root-cause pattern already patched for the DocumentStore entity in commit 840d2ae, indicating a systemic allowlisting deficiency across the codebase rather than an isolated oversight, and Flowise carries 76 prior CVEs suggesting chronic application security debt. Organizations running Flowise in any multi-tenant configuration—including shared internal deployments across teams—should upgrade to 3.1.2 immediately and audit recent DatasetRow PUT/POST requests for workspaceId values inconsistent with the authenticated user's workspace.
What is the risk?
High risk for any multi-tenant Flowise deployment. Exploitation is trivial: the attacker needs only a valid authenticated session and a target workspace UUID, both of which are readily available through normal application use. No public exploit code is required—the advisory itself documents the full exploit chain. The absence of CISA KEV listing and no public PoC tool reduces immediate mass-exploitation risk, but the vulnerability is self-contained and fully described, meaning any motivated insider or compromised account can execute it without AI or security expertise. The fix is available in 3.1.2 and the allowlist pattern is already established in the codebase, making patching the only viable remediation.
Attack Kill Chain
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| flowise | npm | <= 3.1.1 | 3.1.2 |
Do you use flowise? You're affected.
Severity & Risk
What should I do?
5 steps-
Upgrade to Flowise 3.1.2 immediately—the fix applies the allowlist pattern (explicit field-by-field assignment) documented in commit 840d2ae to DatasetRow create and update paths.
-
If immediate upgrade is blocked, restrict the Flowise API to trusted network segments and enforce IP allowlisting at the reverse proxy layer to limit which users can reach datasetrow endpoints.
-
Audit PostgreSQL for rows where workspaceId was recently changed: query DatasetRow with updated_at timestamps from the last 30 days and verify workspaceId matches the creating user's workspace.
-
Review application logs for PUT/POST requests to /api/v1/datasetrows/* where the request body contains a workspaceId field different from the session's workspace context.
-
After patching, verify regression: submit a request body containing workspaceId, id, createdDate, and updatedDate fields and confirm the persisted row retains original values for all four columns.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-7j65-65cr-6644?
Flowise versions up to 3.1.1 contain a mass assignment vulnerability in the DatasetRow service where Object.assign() copies client-supplied fields—including workspaceId and id—directly onto persisted entities with no allowlist, completely breaking multi-tenant workspace isolation. Any authenticated user can silently transfer dataset rows into arbitrary workspaces by including a foreign workspaceId in a standard PUT request body, with workspace UUIDs trivially enumerable from existing API responses—meaning exploitation requires zero specialized knowledge beyond a valid session. This is the same root-cause pattern already patched for the DocumentStore entity in commit 840d2ae, indicating a systemic allowlisting deficiency across the codebase rather than an isolated oversight, and Flowise carries 76 prior CVEs suggesting chronic application security debt. Organizations running Flowise in any multi-tenant configuration—including shared internal deployments across teams—should upgrade to 3.1.2 immediately and audit recent DatasetRow PUT/POST requests for workspaceId values inconsistent with the authenticated user's workspace.
Is GHSA-7j65-65cr-6644 actively exploited?
No confirmed active exploitation of GHSA-7j65-65cr-6644 has been reported, but organizations should still patch proactively.
How to fix GHSA-7j65-65cr-6644?
1. Upgrade to Flowise 3.1.2 immediately—the fix applies the allowlist pattern (explicit field-by-field assignment) documented in commit 840d2ae to DatasetRow create and update paths. 2. If immediate upgrade is blocked, restrict the Flowise API to trusted network segments and enforce IP allowlisting at the reverse proxy layer to limit which users can reach datasetrow endpoints. 3. Audit PostgreSQL for rows where workspaceId was recently changed: query DatasetRow with updated_at timestamps from the last 30 days and verify workspaceId matches the creating user's workspace. 4. Review application logs for PUT/POST requests to /api/v1/datasetrows/* where the request body contains a workspaceId field different from the session's workspace context. 5. After patching, verify regression: submit a request body containing workspaceId, id, createdDate, and updatedDate fields and confirm the persisted row retains original values for all four columns.
What systems are affected by GHSA-7j65-65cr-6644?
This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM fine-tuning pipelines, Multi-tenant SaaS AI platforms, Dataset management and evaluation systems, RLHF and model evaluation workflows.
What is the CVSS score for GHSA-7j65-65cr-6644?
No CVSS score has been assigned yet.
Technical Details
NVD Description
## Summary **Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the DatasetRow entity -> cross-workspace data takeover and IDOR. **File:** `packages/server/src/services/dataset/index.ts` **Root cause:** The DatasetRow controller/service constructs a `new DatasetRow()` and copies the request body into it via `Object.assign(...)` without an explicit field allowlist. The request body therefore can include `workspaceId`, `id`, `createdDate`, `updatedDate`. The server only rebinds *some* of these after the assign (e.g. on create, it overwrites `workspaceId` but not `id`; on update, it overwrites `id` but not `workspaceId`). The remaining client-controlled values land directly on the persisted row, breaking workspace isolation. Same root pattern as the datasetrow entity's sibling controllers and as `DocumentStore` before it was patched in commit 840d2ae. ## Affected Code **File:** `packages/server/src/services/dataset/index.ts` ```ts // create (line 274) and update (line 315) Object.assign(newRow, rowBody) // <-- BUG: rowBody.id, rowBody.datasetId accepted ``` **Why it's wrong:** `Object.assign(target, source)` copies every own enumerable property of `source` onto `target`. The TypeORM/SQL persistence layer below it does not strip ownership-bearing columns, so `workspaceId` set in the request body lands as the new `workspaceId` of the persisted row. The DocumentStore patch (commit 840d2ae) demonstrated the intended fix shape (explicit field-by-field allowlist) but it has not been applied to this entity. ## Exploit Chain 1. Attacker is an authenticated member of workspace A. They have a session cookie / JWT for the Flowise web UI. State at this point: attacker can read and write entities scoped to workspace A. 2. Attacker creates a datasetrow in workspace A via the documented API (or reuses an existing one they own). They note its entity `id`. 3. Attacker issues a `PUT /api/v1/datasetrows/<id>` (or equivalent endpoint) with a JSON body that includes `"workspaceId": "<workspace-B-id>"` (an arbitrary other workspace's UUID). State at this point: the request reaches the controller as a workspace-A authenticated request. 4. The controller calls `Object.assign(updateEntity, body)`. The body's `workspaceId` overwrites the entity's `workspaceId` field. The persistence layer commits the row. 5. Final state: the datasetrow row is now owned by workspace B. Workspace B members can see it, modify it, and use it. Workspace A loses access (it no longer satisfies their workspace filter). The original creator's workspace audit shows nothing because the operation looked like a normal update. ## Security Impact **Severity:** High. Cross-workspace boundary violation by any authenticated workspace member. **Attacker capability:** Any authenticated user with permission to update a datasetrow can move it to any workspace whose UUID they can guess or enumerate (workspace UUIDs are exposed in many API responses, so enumeration is trivial). DatasetRows hold individual training/evaluation records. The mass assignment lets a member rebind a row to a Dataset in another workspace via `datasetId`, exposing the row content to the destination workspace. **Preconditions:** Authenticated session with edit permission for the source datasetrow. No second factor required. Workspace UUIDs are exposed via the `/api/v1/workspaces` listing or via any cross-referenced object's `workspaceId` field, so target enumeration is trivial. **Differential:** PoC-verified by source inspection of the original GHSA-q4pr-4r26-c69r. Patched build (with the suggested fix below) refuses the `workspaceId` field; vulnerable build accepts it and persists it. ## Suggested Fix Already fixed in PR https://github.com/FlowiseAI/Flowise/pull/6051 (allowlist pattern applied). ```ts // Allowlist pattern (matches commit 840d2ae for DocumentStore): const updatedDatasetRow = new DatasetRow() if (body.<allowed_field_1> !== undefined) updatedDatasetRow.<allowed_field_1> = body.<allowed_field_1> if (body.<allowed_field_2> !== undefined) updatedDatasetRow.<allowed_field_2> = body.<allowed_field_2> // ...whitelist only the documented fields. Never copy id, workspaceId, createdDate, updatedDate from the client. ``` Regression tests should assert that a request body containing `workspaceId`, `id`, `createdDate`, or `updatedDate` is rejected (or at minimum: does not change those columns on the persisted row) for both create and update paths.
Exploitation Scenario
An attacker holds a legitimate Flowise account in Workspace A—representing an insider threat, a compromised contractor account, or a shared deployment where multiple teams coexist. They call GET /api/v1/workspaces or inspect any cross-referenced API response to enumerate Workspace B's UUID (exposed in standard object representations throughout the API). They then issue a PUT /api/v1/datasetrows/<row-id> request with JSON body { "content": "legitimate update", "workspaceId": "<workspace-B-uuid>" }. The DatasetRow service executes Object.assign(updateEntity, body), copying workspaceId onto the entity before TypeORM persists it. The row now belongs to Workspace B: Workspace B members can read, modify, and use the training record while Workspace A's workspace filter silently drops it from their view. From Workspace B, the attacker reads the exfiltrated training data via normal API calls. No anomaly appears in audit logs because the operation is processed as a standard authenticated update.
Weaknesses (CWE)
References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-30821 9.8 flowise: Arbitrary File Upload enables RCE
Same package: flowise CVE-2026-30824 9.8 Flowise: auth bypass exposes NVIDIA NIM container endpoints
Same package: flowise