AI Threat Alert
Flowise versions up to 3.1.1 contain a mass assignment flaw in the evaluations service that lets any authenticated user overwrite the `workspaceId` field on evaluation records via a crafted PUT request, silently transferring them across workspace boundaries. In multi-tenant Flowise deployments — common in enterprises using Flowise as an AI agent and LLM pipeline builder — this exposes captured prompts, model outputs, and scoring data to unauthorized workspace members without triggering any access-control alert. Exploitation requires only a valid session and a target workspace UUID, both trivially obtainable from routine API responses, placing this squarely in low-skill territory despite the high blast radius; the same root-cause pattern has already appeared in at least one other Flowise entity controller. Upgrade to Flowise 3.1.2 immediately; if patching is blocked, restrict API access to trusted internal network segments and audit your evaluations table for rows where `workspaceId` does not match the originating user's workspace.
What is the risk?
High risk for any organization running Flowise in a shared or multi-tenant configuration. Exploitation requires only a standard authenticated session — no elevated privileges, no second factor, no advanced skill. Target workspace UUIDs are exposed in routine API responses, making enumeration trivial. The 76 other CVEs attributed to the same package suggest systemic security debt and a pattern of similar flaws rather than an isolated incident. Single-tenant or network-isolated deployments have materially reduced exposure but should still patch given the systemic nature of the root cause.
Attack Kill Chain
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| flowise | npm | <= 3.1.1 | 3.1.2 |
Do you use flowise? You're affected.
Severity & Risk
What should I do?
5 steps-
Patch immediately: upgrade Flowise to 3.1.2 or later. The fix applies an explicit field allowlist pattern — matching the approach used in commit 840d2ae for DocumentStore — that strips workspaceId, id, createdDate, and updatedDate from all client-controlled request bodies on both create and update paths.
-
Network segmentation: if immediate patching is not feasible, restrict the Flowise API (default port 3000) to trusted internal subnets only and block public internet exposure.
-
Audit existing data: query your Flowise database for evaluation rows where workspaceId does not match the workspace of the originating user record — anomalies may indicate prior exploitation.
-
Review API logs: search for PUT /api/v1/evaluations requests whose JSON body contains a workspaceId field — legitimate clients should not be sending this field.
-
Extend review to sibling controllers: the GHSA notes this is a systemic pattern; verify that other Flowise entity controllers beyond evaluations and DocumentStore have received the same allowlist fix in 3.1.2.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-mq53-pc65-wjc4?
Flowise versions up to 3.1.1 contain a mass assignment flaw in the evaluations service that lets any authenticated user overwrite the `workspaceId` field on evaluation records via a crafted PUT request, silently transferring them across workspace boundaries. In multi-tenant Flowise deployments — common in enterprises using Flowise as an AI agent and LLM pipeline builder — this exposes captured prompts, model outputs, and scoring data to unauthorized workspace members without triggering any access-control alert. Exploitation requires only a valid session and a target workspace UUID, both trivially obtainable from routine API responses, placing this squarely in low-skill territory despite the high blast radius; the same root-cause pattern has already appeared in at least one other Flowise entity controller. Upgrade to Flowise 3.1.2 immediately; if patching is blocked, restrict API access to trusted internal network segments and audit your evaluations table for rows where `workspaceId` does not match the originating user's workspace.
Is GHSA-mq53-pc65-wjc4 actively exploited?
No confirmed active exploitation of GHSA-mq53-pc65-wjc4 has been reported, but organizations should still patch proactively.
How to fix GHSA-mq53-pc65-wjc4?
1. Patch immediately: upgrade Flowise to 3.1.2 or later. The fix applies an explicit field allowlist pattern — matching the approach used in commit 840d2ae for DocumentStore — that strips workspaceId, id, createdDate, and updatedDate from all client-controlled request bodies on both create and update paths. 2. Network segmentation: if immediate patching is not feasible, restrict the Flowise API (default port 3000) to trusted internal subnets only and block public internet exposure. 3. Audit existing data: query your Flowise database for evaluation rows where workspaceId does not match the workspace of the originating user record — anomalies may indicate prior exploitation. 4. Review API logs: search for PUT /api/v1/evaluations requests whose JSON body contains a workspaceId field — legitimate clients should not be sending this field. 5. Extend review to sibling controllers: the GHSA notes this is a systemic pattern; verify that other Flowise entity controllers beyond evaluations and DocumentStore have received the same allowlist fix in 3.1.2.
What systems are affected by GHSA-mq53-pc65-wjc4?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, model evaluation pipelines, LLM orchestration platforms.
What is the CVSS score for GHSA-mq53-pc65-wjc4?
No CVSS score has been assigned yet.
Technical Details
NVD Description
## Summary **Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the Evaluation entity -> cross-workspace data takeover and IDOR. **File:** `packages/server/src/services/evaluations/index.ts` **Root cause:** The Evaluation controller/service constructs a `new Evaluation()` and copies the request body into it via `Object.assign(...)` without an explicit field allowlist. The request body therefore can include `workspaceId`, `id`, `createdDate`, `updatedDate`. The server only rebinds *some* of these after the assign (e.g. on create, it overwrites `workspaceId` but not `id`; on update, it overwrites `id` but not `workspaceId`). The remaining client-controlled values land directly on the persisted row, breaking workspace isolation. Same root pattern as the evaluation entity's sibling controllers and as `DocumentStore` before it was patched in commit 840d2ae. ## Affected Code **File:** `packages/server/src/services/evaluations/index.ts` ```ts // at line 69 Object.assign(newEvaluation, body) // <-- BUG: body.id, body.workspaceId, body.createdDate, body.updatedDate accepted ``` **Why it's wrong:** `Object.assign(target, source)` copies every own enumerable property of `source` onto `target`. The TypeORM/SQL persistence layer below it does not strip ownership-bearing columns, so `workspaceId` set in the request body lands as the new `workspaceId` of the persisted row. The DocumentStore patch (commit 840d2ae) demonstrated the intended fix shape (explicit field-by-field allowlist) but it has not been applied to this entity. ## Exploit Chain 1. Attacker is an authenticated member of workspace A. They have a session cookie / JWT for the Flowise web UI. State at this point: attacker can read and write entities scoped to workspace A. 2. Attacker creates a evaluation in workspace A via the documented API (or reuses an existing one they own). They note its entity `id`. 3. Attacker issues a `PUT /api/v1/evaluations/<id>` (or equivalent endpoint) with a JSON body that includes `"workspaceId": "<workspace-B-id>"` (an arbitrary other workspace's UUID). State at this point: the request reaches the controller as a workspace-A authenticated request. 4. The controller calls `Object.assign(updateEntity, body)`. The body's `workspaceId` overwrites the entity's `workspaceId` field. The persistence layer commits the row. 5. Final state: the evaluation row is now owned by workspace B. Workspace B members can see it, modify it, and use it. Workspace A loses access (it no longer satisfies their workspace filter). The original creator's workspace audit shows nothing because the operation looked like a normal update. ## Security Impact **Severity:** High. Cross-workspace boundary violation by any authenticated workspace member. **Attacker capability:** Any authenticated user with permission to update a evaluation can move it to any workspace whose UUID they can guess or enumerate (workspace UUIDs are exposed in many API responses, so enumeration is trivial). Evaluation runs (which may include captured prompts, model outputs, scoring data) can be moved cross-workspace via `workspaceId` overwrite, exposing the data to attacker workspace members. **Preconditions:** Authenticated session with edit permission for the source evaluation. No second factor required. Workspace UUIDs are exposed via the `/api/v1/workspaces` listing or via any cross-referenced object's `workspaceId` field, so target enumeration is trivial. **Differential:** PoC-verified by source inspection of the original GHSA-q4pr-4r26-c69r. Patched build (with the suggested fix below) refuses the `workspaceId` field; vulnerable build accepts it and persists it. ## Suggested Fix Already fixed in PR https://github.com/FlowiseAI/Flowise/pull/6050 (allowlist pattern applied). ```ts // Allowlist pattern (matches commit 840d2ae for DocumentStore): const updatedEvaluation = new Evaluation() if (body.<allowed_field_1> !== undefined) updatedEvaluation.<allowed_field_1> = body.<allowed_field_1> if (body.<allowed_field_2> !== undefined) updatedEvaluation.<allowed_field_2> = body.<allowed_field_2> // ...whitelist only the documented fields. Never copy id, workspaceId, createdDate, updatedDate from the client. ``` Regression tests should assert that a request body containing `workspaceId`, `id`, `createdDate`, or `updatedDate` is rejected (or at minimum: does not change those columns on the persisted row) for both create and update paths.
Exploitation Scenario
A contractor with a legitimate Flowise account in workspace A on a shared enterprise deployment enumerates workspace UUIDs by calling /api/v1/workspaces or reading the workspaceId fields embedded in any cross-referenced API response. They identify the AI research team's workspace B, which contains months of evaluation runs on a proprietary fine-tuned model. The attacker issues a PUT /api/v1/evaluations/<id> request for an evaluation they own in workspace A, injecting "workspaceId": "<workspace-B-uuid>" into the JSON body. The Flowise backend copies the field via Object.assign() without validation and persists the row. The evaluation record — including captured prompts, model outputs, and scoring data — is now silently transferred to workspace B. The research team loses access (the record no longer appears under their workspace filter), the attacker's workspace gains read access to the proprietary data, and no security alert fires because the operation is indistinguishable from a routine update.
Weaknesses (CWE)
References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-30821 9.8 flowise: Arbitrary File Upload enables RCE
Same package: flowise CVE-2026-30824 9.8 Flowise: auth bypass exposes NVIDIA NIM container endpoints
Same package: flowise