CVE-2026-42861
published 2026-06-08CVE-2026-42861: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the…
PriorityP261critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.25%
16.6th percentile
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces. This behavior may break tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | < 3.1.2 | 3.1.2 |
| flowiseai | flowise | >= 0 < 3.1.2 | 3.1.2 |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
nvdv4.07.6HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FlowiseAI Flowise up to 3.0.12 API Endpoint createLead dynamically-determined object attributes (WID-SEC-2026-1554)
vuldb·2026-06-13·CVSS 9.6
CVE-2026-42861 [CRITICAL] FlowiseAI Flowise up to 3.0.12 API Endpoint createLead dynamically-determined object attributes (WID-SEC-2026-1554)
A vulnerability was found in FlowiseAI Flowise up to 3.0.12 and classified as critical. Affected by this issue is the function createLead of the component API Endpoint. Such manipulation leads to dynamically-determined object attributes.
This vulnerability is traded as CVE-2026-42861. The attack may be launched remotely. Furthermore, there is an exploit available.
It is suggested to upgrade the affected component.
GHSA
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
ghsa·2026-05-14
CVE-2026-42861 [HIGH] CWE-284 FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
### Summary
A Mass Assignment vulnerability exists in the variable update endpoint of FlowiseAI.
The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource.
Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces.
This behavior may break tenant isolation in multi-workspace environments.
### Details
The endpoint responsible for updating variables:
**PUT /api/v1/variables/{variableId}**
accepts a JSON request body containing the variable definition.
However, the backend doe
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published