CVE-2026-42863
published 2026-06-08CVE-2026-42863: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the…
PriorityP351high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.27%
18.3th percentile
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings. This issue has been patched in version 3.1.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | < 3.1.2 | 3.1.2 |
| flowiseai | flowise | >= 0 < 3.1.2 | 3.1.2 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv4.07.6HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FlowiseAI Flowise up to 3.1.1 Chatflow Update Endpoint access control
vuldb·2026-06-08·CVSS 7.6
CVE-2026-42863 [HIGH] FlowiseAI Flowise up to 3.1.1 Chatflow Update Endpoint access control
A vulnerability marked as critical has been reported in FlowiseAI Flowise up to 3.1.1. This issue affects some unknown processing of the component Chatflow Update Endpoint. Performing a manipulation results in improper access controls.
This vulnerability is cataloged as CVE-2026-42863. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
ghsa·2026-05-14
CVE-2026-42863 [HIGH] CWE-284 FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
### Summary
A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI.
The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object.
Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings.
### Details
The endpoint responsible for updating chatflows:
**PUT /api/v1/chatflows/{chatflowId}**
accepts a JSON request bod
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published