HIGH 8.8

CVE-2026-46475: Flowise Mass-Assignment Privilege Escalation (v3.1.2 Patch)

Flowise, a platform for building customized LLM workflows through a drag-and-drop interface, contains a privilege escalation vulnerability in its assistant management features. Prior to version 3.1.2, an authenticated attacker can exploit mass-assignment flaws in the create and update endpoints to take over assistants belonging to other workspaces, potentially accessing or modifying shared LLM configurations across organizational boundaries.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-915
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46475 is a mass-assignment vulnerability (CWE-915) affecting Flowise versions before 3.1.2. The vulnerability exists in the assistant create and update endpoints, which fail to properly restrict which fields can be modified by an authenticated user. This allows an attacker with valid credentials to bypass workspace isolation controls and assume ownership of or modify assistants in other workspaces, resulting in cross-workspace compromise. The attack requires authentication but no user interaction and impacts the confidentiality, integrity, and availability of affected assistants.

Business impact

A successful exploit permits an authenticated insider or compromised account to access proprietary LLM flows, prompt templates, and configurations across workspace boundaries. This poses risks to intellectual property theft, data exfiltration through model interactions, and disruption of AI-driven business processes. Organizations using Flowise for multi-tenant or multi-team deployments face heightened risk of lateral movement and unauthorized model manipulation.

Affected systems

Flowise versions prior to 3.1.2 are vulnerable. The vulnerability affects any deployment where multiple users or workspaces share a single Flowise instance. Self-hosted and cloud-based deployments are equally at risk if not patched.

Exploitability

The vulnerability has a CVSS score of 8.8 (HIGH) and carries a low attack complexity. It requires valid authentication credentials but no user interaction to execute. Network accessibility is not restricted. The barrier to exploitation is moderate—an attacker must have or obtain valid Flowise credentials—but the attack itself is straightforward once authenticated. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the published date.

Remediation

Update Flowise to version 3.1.2 or later immediately. Organizations should verify their current Flowise version and deploy patches across all affected instances. If immediate patching is not possible, restrict Flowise access to trusted internal networks and implement strong authentication controls to reduce the likelihood of credential compromise.

Patch guidance

Upgrade to Flowise version 3.1.2 or any later release. Patch deployment should be prioritized for instances serving multiple workspaces or teams, or those handling sensitive LLM workflows. Verify the upgrade by checking the Flowise version string in the application interface or via the vendor advisory. Test the update in a non-production environment first to ensure compatibility with existing workflows and custom integrations.

Detection guidance

Monitor Flowise API logs for suspicious create or update requests to assistant endpoints originating from unexpected user accounts or IP addresses. Look for requests that reference assistant IDs outside the user's assigned workspace. Audit logs may reveal unauthorized assistant modifications or ownership changes. Network-level detection should flag any authenticated sessions making bulk or rapid modifications to shared resources across workspace boundaries. Alert on failed access attempts to cross-workspace assistants if logging is available.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score, ease of exploitation by authenticated users, and direct impact on data confidentiality and integrity. Organizations using Flowise for production LLM workflows should treat patching as urgent, particularly if the deployment serves multiple teams or customers. The low attack complexity and broad access impact justify prioritization above many other vulnerabilities.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: (1) network-accessible endpoints requiring only authentication, (2) high impact on confidentiality (unauthorized access to assistants and LLM flows), integrity (modification of shared configurations), and availability (potential deletion or disablement of assistants), (3) low attack complexity (no special conditions or tricks required), and (4) privilege escalation across workspace isolation boundaries. The score does not include organizational risk factors such as multi-tenant deployments or the sensitivity of hosted LLM models.

Frequently asked questions

Does this vulnerability affect single-user or standalone Flowise deployments?

Single-user instances or those without workspace multi-tenancy are at lower risk because cross-workspace takeover requires multiple workspaces to exist. However, all versions prior to 3.1.2 should still be patched to close the underlying mass-assignment flaw and maintain security posture.

Is authentication always required to exploit this vulnerability?

Yes. The vulnerability requires valid Flowise credentials to access the vulnerable endpoints. However, credential compromise through phishing, weak passwords, or other means could enable exploitation. Strong authentication practices remain essential.

Will patching to 3.1.2 disrupt my existing Flowise workflows?

Patch releases typically include only security fixes and are designed to be backward-compatible. Test the update in a staging environment first to confirm compatibility with your custom assistants, integrations, and configurations before deploying to production.

What should I do if I suspect unauthorized assistant access or modification in my Flowise instance?

Immediately review audit and API logs to identify suspicious activity. Change credentials for all Flowise user accounts, reset assistant ownership where possible, and audit the configuration of any assistants that may have been accessed. After patching to 3.1.2, implement stronger access controls and monitor for further anomalies.

This analysis is based on publicly disclosed information and the vendor advisory as of the modification date (June 17, 2026). Patch version numbers, timelines, and availability are subject to change. Organizations should verify all patch versions against official Flowise release notes and security advisories. This is not legal or compliance advice. Consult your security team and applicable regulations before implementing remediation steps. No exploit code or weaponized proof-of-concept information is provided herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).