GHSA-hp26-q66v-q2w7: Flowise mass assignment breaks

Q: Is GHSA-hp26-q66v-q2w7 actively exploited?

No confirmed active exploitation of GHSA-hp26-q66v-q2w7 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-hp26-q66v-q2w7?

1. Upgrade flowise to version 3.1.2 or later immediately—the vendor patch is the only reliable fix. 2. If immediate patching is not possible, deploy a WAF rule to strip workspaceId, createdDate, and updatedDate fields from PUT /api/v1/assistants/* request bodies. 3. Audit your PostgreSQL database for anomalous workspaceId assignments: query assistant records for workspace IDs that do not match the creating user's workspace history. 4. Review API access logs for unexpected PUT requests to /api/v1/assistants/ from users whose account workspace does not match the target assistant's original workspace. 5. In multi-tenant deployments, consider temporarily restricting assistant update permissions to workspace administrators only until patching is complete. 6. Treat any Flowise instances exposed to the internet or shared across organizational boundaries as higher priority targets for this patch.

Q: What systems are affected by GHSA-hp26-q66v-q2w7?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, LLM orchestration pipelines, AI assistant deployments.

Q: What is the CVSS score for GHSA-hp26-q66v-q2w7?

No CVSS score has been assigned yet.

CISO Take

A mass assignment vulnerability in FlowiseAI's assistant update API (PUT /api/v1/assistants/{id}) allows any authenticated user to inject server-controlled fields—most critically workspaceId—enabling cross-tenant reassignment of AI assistants without authorization. In shared or multi-tenant Flowise deployments, this breaks the fundamental tenant isolation boundary: a low-privilege user in one workspace can silently move assistants into another, potentially accessing connected credentials, tool configurations, and agentic capabilities belonging to other tenants. While not in CISA KEV and no public exploit exists, exploitation requires only valid credentials and a trivially crafted HTTP request—Flowise's history of 69 CVEs in the same package also signals persistent security hygiene issues worth weighing. Organizations running Flowise ≤ 3.1.1 should upgrade to 3.1.2 immediately; teams using Flowise in multi-tenant or shared environments should treat this as urgent regardless of their patch timeline.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium-High risk. The attack requires authentication, limiting exposure to insider threats and compromised accounts, but the technique is completely trivial—any authenticated user need only append a workspaceId field to a standard API request with no special tooling or AI knowledge required. The impact is significant in multi-tenant architectures where workspace isolation is a core security guarantee. Absence of EPSS data and public exploit code reduces imminent mass-exploitation risk, but the near-zero skill floor means any motivated insider can execute this without specialized knowledge. Flowise's 69-CVE track record in this package suggests the broader codebase deserves scrutiny beyond this single issue.

How does the attack unfold?

Initial Access

Attacker authenticates to a shared Flowise instance using valid credentials for their own low-privilege account.

AML.T0012

Reconnaissance

Attacker enumerates assistant IDs and target workspace UUIDs from API responses, error messages, or shared Flowise URLs to identify victim tenant workspaces.

AML.T0084

Exploitation

Attacker sends a crafted PUT /api/v1/assistants/{id} request with an injected workspaceId pointing to a victim tenant's workspace; the server accepts and persists the unauthorized field without validation.

AML.T0049

Impact

Assistant is reassigned into the victim's workspace, breaking tenant isolation and potentially exposing the victim's connected credentials, LLM tool integrations, and agent configurations to the attacker.

AML.T0081

Initial Access

Attacker authenticates to a shared Flowise instance using valid credentials for their own low-privilege account.

AML.T0012

Reconnaissance

Attacker enumerates assistant IDs and target workspace UUIDs from API responses, error messages, or shared Flowise URLs to identify victim tenant workspaces.

AML.T0084

Exploitation

Attacker sends a crafted PUT /api/v1/assistants/{id} request with an injected workspaceId pointing to a victim tenant's workspace; the server accepts and persists the unauthorized field without validation.

AML.T0049

Impact

Assistant is reassigned into the victim's workspace, breaking tenant isolation and potentially exposing the victim's connected credentials, LLM tool integrations, and agent configurations to the attacker.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	<= 3.1.1	`3.1.2`

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Upgrade flowise to version 3.1.2 or later immediately—the vendor patch is the only reliable fix.
If immediate patching is not possible, deploy a WAF rule to strip workspaceId, createdDate, and updatedDate fields from PUT /api/v1/assistants/* request bodies.
Audit your PostgreSQL database for anomalous workspaceId assignments: query assistant records for workspace IDs that do not match the creating user's workspace history.
Review API access logs for unexpected PUT requests to /api/v1/assistants/ from users whose account workspace does not match the target assistant's original workspace.
In multi-tenant deployments, consider temporarily restricting assistant update permissions to workspace administrators only until patching is complete.
Treat any Flowise instances exposed to the internet or shared across organizational boundaries as higher priority targets for this patch.

How is it classified?

Auth Bypass Data Leakage Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

GOVERN 6.2 - Organizational roles and responsibilities for AI oversight MANAGE 2.4 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-hp26-q66v-q2w7?

A mass assignment vulnerability in FlowiseAI's assistant update API (PUT /api/v1/assistants/{id}) allows any authenticated user to inject server-controlled fields—most critically workspaceId—enabling cross-tenant reassignment of AI assistants without authorization. In shared or multi-tenant Flowise deployments, this breaks the fundamental tenant isolation boundary: a low-privilege user in one workspace can silently move assistants into another, potentially accessing connected credentials, tool configurations, and agentic capabilities belonging to other tenants. While not in CISA KEV and no public exploit exists, exploitation requires only valid credentials and a trivially crafted HTTP request—Flowise's history of 69 CVEs in the same package also signals persistent security hygiene issues worth weighing. Organizations running Flowise ≤ 3.1.1 should upgrade to 3.1.2 immediately; teams using Flowise in multi-tenant or shared environments should treat this as urgent regardless of their patch timeline.

Is GHSA-hp26-q66v-q2w7 actively exploited?

No confirmed active exploitation of GHSA-hp26-q66v-q2w7 has been reported, but organizations should still patch proactively.

How to fix GHSA-hp26-q66v-q2w7?

1. Upgrade flowise to version 3.1.2 or later immediately—the vendor patch is the only reliable fix. 2. If immediate patching is not possible, deploy a WAF rule to strip workspaceId, createdDate, and updatedDate fields from PUT /api/v1/assistants/* request bodies. 3. Audit your PostgreSQL database for anomalous workspaceId assignments: query assistant records for workspace IDs that do not match the creating user's workspace history. 4. Review API access logs for unexpected PUT requests to /api/v1/assistants/ from users whose account workspace does not match the target assistant's original workspace. 5. In multi-tenant deployments, consider temporarily restricting assistant update permissions to workspace administrators only until patching is complete. 6. Treat any Flowise instances exposed to the internet or shared across organizational boundaries as higher priority targets for this patch.

What systems are affected by GHSA-hp26-q66v-q2w7?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, LLM orchestration pipelines, AI assistant deployments.

What is the CVSS score for GHSA-hp26-q66v-q2w7?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-tenant AI platformsLLM orchestration pipelinesAI assistant deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 6.2, MANAGE 2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

### Summary A Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. ### Details The endpoint responsible for updating assistants: **PUT /api/v1/assistants/{assistantId}** accepts a JSON request body containing assistant metadata. However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend. Server-controlled fields that can be manipulated include: 1. workspaceId 2. createdDate 3. updatedDate These fields appear to be directly mapped to the underlying database entity without strict DTO whitelisting or authorization checks. For example, the following request body was accepted: ```json { "details": "", "credential": "11ca7fef-c9b1-4c87-aa54-e547aed8a249", "iconSrc": null, "type": "CUSTOM", "createdDate": "2026-03-06T17:31:04.000Z", "updatedDate": "2026-03-06T17:31:55.000Z", "workspaceId": "11111111-2222-3333-4444-555555555555" } ``` This indicates that internal, server-controlled properties can be modified by an authenticated user. ### PoC 1. Authenticate to the Flowise interface. 2. Capture the request used to update an assistant: ```http PUT /api/v1/assistants/<ASSISTANT_ID> Content-Type: application/json Modify the request body by injecting server-controlled fields: { "details": "", "credential": "11ca7fef-c9b1-4c87-aa54-e547aed8a249", "iconSrc": null, "type": "CUSTOM", "createdDate": "2026-03-06T17:31:04.000Z", "updatedDate": "2026-03-06T17:31:55.000Z", "workspaceId": "11111111-2222-3333-4444-555555555555" } ``` 3.Send the request. Observe that the response accepts and persists the attacker-controlled workspaceId and metadata fields. ### Impact This vulnerability allows authenticated users to manipulate internal attributes of assistant resources. Confirmed impacts include: - Cross-workspace reassignment of assistants (workspaceId) - Unauthorized modification of metadata (createdDate, updatedDate) In multi-tenant deployments, this may allow an attacker to move assistants between workspaces without authorization, breaking tenant isolation boundaries.

Exploitation Scenario

An attacker with a legitimate low-privilege account on a shared enterprise Flowise instance authenticates and creates a test assistant in their own workspace. Using an intercepting proxy, they capture the PUT /api/v1/assistants/{id} request and observe the accepted JSON schema. They then enumerate target workspace UUIDs—potentially discoverable from API error messages, URL patterns, or by observing UUIDs embedded in shared Flowise links—and replay the update request with an injected workspaceId pointing to a victim tenant's workspace. The server accepts and persists the manipulated field without validation. The attacker's assistant is now visible and operational within the victim workspace, and depending on the Flowise configuration, may inherit that workspace's connected LLM credentials, database connections, and tool integrations—enabling further lateral movement into the victim tenant's AI infrastructure without ever touching the victim's credentials.