HIGH 8.8

CVE-2026-46476: Flowise Cross-Workspace Template Takeover Vulnerability

Flowise, a visual tool for building customized large language model workflows, contains a vulnerability in how it handles template creation and updates. Attackers with user access can exploit mass-assignment flaws to take control of templates across different workspaces—essentially hijacking template configurations that should be isolated from one another. The vulnerability affects all versions prior to 3.1.2 and has been resolved in that release.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-915
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper input validation in the CustomTemplate create and update endpoints, allowing authenticated attackers to exploit mass-assignment to modify or take control of template objects across workspace boundaries. The flaw permits an authenticated user to inject unintended parameters during template operations, bypassing access controls that should restrict template ownership and scope to individual workspaces. This is categorized as CWE-915 (Improper Control of Dynamically-Managed Code Resources), indicating the application fails to properly constrain which attributes can be assigned during object manipulation.

Business impact

This vulnerability poses a direct threat to multi-tenant Flowise deployments where different teams or customers operate within separate workspaces. A compromised or malicious user can alter or commandeer templates created by others, leading to poisoned LLM workflows, data exfiltration through modified prompts, or disruption of legitimate AI automation pipelines. For organizations relying on Flowise for production AI orchestration, cross-workspace template takeover could result in unauthorized access to sensitive configurations, degraded service reliability, and potential compliance violations if templates are used to process regulated data.

Affected systems

Flowise versions prior to 3.1.2 are vulnerable. The vulnerability requires user-level authentication to exploit, so it affects deployments where internal users, contractors, or federated accounts have access to the Flowise UI. Organizations running Flowise in isolated, single-user, or air-gapped environments face lower risk than those exposing multi-user instances to broader networks.

Exploitability

Exploitation requires valid Flowise user credentials and access to the template management interface. No special network position, elevated privileges, or user interaction is necessary beyond the attacker's authenticated session. The attack surface is straightforward: modify API requests during template CRUD operations to inject workspace-crossing parameters. This makes the vulnerability moderately exploitable for insiders or accounts obtained through credential compromise. Public exploit code has not been disclosed.

Remediation

Upgrade Flowise to version 3.1.2 or later immediately. This release patches the mass-assignment vulnerability by implementing strict input validation and access control checks on the CustomTemplate endpoints. Organizations should verify the patched version is deployed across all instances and confirm that workspace isolation is functioning correctly in a test environment before production rollout.

Patch guidance

Deploy Flowise 3.1.2 according to the vendor's upgrade documentation. If you are operating Flowise in a containerized environment, pull the latest image tagged for version 3.1.2 or higher. For source-based deployments, fetch the patched release from the official repository and rebuild. No configuration changes are required post-patch. Verify template access controls by confirming that templates created in one workspace cannot be viewed or modified from another workspace by the same user.

Detection guidance

Monitor Flowise application logs for suspicious template modification activity, particularly API calls to CustomTemplate create/update endpoints with parameters that do not align with the authenticated user's current workspace context. Look for audit trail entries showing cross-workspace template alterations or unexpected ownership changes. If available, enable debug logging on the template service to capture parameter values passed during create and update operations. Network-level detection is limited since this is an authenticated application flaw; focus on application-layer telemetry and access logs.

Why prioritize this

This vulnerability rates HIGH severity due to its direct impact on data and workflow integrity in multi-user environments. The CVSS 3.1 score of 8.8 reflects high confidentiality, integrity, and availability impact accessible to low-privileged authenticated users over the network. While exploitation requires valid credentials, the barrier is relatively low in environments with permissive access or where credentials are frequently shared or compromised. Flowise users should prioritize patching, especially those with multiple teams or customers relying on workspace isolation.

Risk score, explained

CVSS 3.1 score of 8.8 (HIGH): Network-accessible attack vector (AV:N), low attack complexity (AC:L), and low privilege requirements (PR:L) combine with high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability allows authenticated users to completely compromise template confidentiality and integrity within other workspaces, and denial-of-service impacts are possible through template corruption. The score appropriately reflects a serious but not critical issue, as exploitation is confined to authenticated sessions and does not affect system availability at the infrastructure level.

Frequently asked questions

Does this vulnerability affect Flowise deployments where each user has their own workspace?

The vulnerability specifically exploits cross-workspace access. In single-user deployments or environments where workspace isolation is not relied upon, the practical impact is reduced. However, best practice is to upgrade regardless, as future workspace configurations or user additions could introduce risk. Verify your workspace architecture before concluding you are unaffected.

Can an unauthenticated attacker exploit this?

No. The vulnerability requires valid Flowise user credentials. However, if credentials are compromised through phishing, weak passwords, or lateral movement, the attacker gains the ability to take over templates across workspaces. Enforce strong authentication and credential hygiene alongside patching.

What should I do if I suspect templates have been tampered with?

Immediately audit your CustomTemplate storage and audit logs for unexpected modifications, particularly entries showing changes from users outside the owning workspace. Restore templates from clean backups if available, and verify the integrity of any LLM flows that depend on affected templates. After patching to 3.1.2, re-establish trust in your template library.

Are there any workarounds if I cannot patch immediately?

Restrict Flowise access to trusted users only, disable cross-workspace user permissions if your version supports granular controls, and increase audit logging on template operations. These measures reduce but do not eliminate risk. Patching to 3.1.2 is the authoritative remediation and should be prioritized within your change management window.

This analysis is provided for informational purposes and represents SEC.co's assessment based on publicly available information. Exploit techniques or proof-of-concept code are not provided. Organizations should validate all findings against their specific Flowise deployments and vendor advisories before making patching decisions. The CVSS score and vulnerability details reflect data current as of the last update and may be superseded by vendor announcements or additional research. Always consult the official Flowise security advisory and upgrade documentation for definitive remediation guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).