HIGH 8.8

CVE-2026-46477: Flowise Dataset Cross-Workspace Takeover (CVSS 8.8)

Flowise, a visual interface for building and customizing language model workflows, contains a mass-assignment vulnerability in its dataset management functions. Before version 3.1.2, an authenticated attacker could exploit weak input validation during dataset creation or updates to access and modify datasets across different workspaces—effectively taking over datasets belonging to other users or teams. The vulnerability requires a valid user account to exploit but poses a serious risk to multi-tenant Flowise deployments where data isolation is critical.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-915
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper handling of user-supplied input when creating or updating datasets. Mass-assignment flaws (CWE-915) occur when applications automatically bind request parameters to object properties without adequate validation or filtering. In this case, an authenticated attacker can craft requests that bypass workspace isolation controls, allowing them to modify or assume ownership of datasets outside their intended scope. The issue affects all Flowise versions prior to 3.1.2, where proper input sanitization and workspace boundary enforcement have been implemented.

Business impact

In multi-tenant Flowise environments, this vulnerability enables unauthorized dataset access and modification across organizational boundaries. An attacker with a standard user account could expose sensitive training data, manipulate model inputs, or disrupt workflows used by other teams. For organizations using Flowise to manage proprietary language models or customer-sensitive information, the risk extends to data confidentiality, integrity, and availability. The high CVSS score reflects the combination of network accessibility, low attack complexity, and the breadth of impact on all three security properties.

Affected systems

Flowise versions prior to 3.1.2 are affected. The vulnerability impacts any deployment where multiple workspaces or teams share a single Flowise instance, particularly where datasets contain sensitive or proprietary information. Standalone single-user or isolated deployments face lower risk, but the authentication requirement means internal or trusted users are the primary threat vector in such environments.

Exploitability

Exploitation requires a valid Flowise user account—there is no pre-authentication vector. Once authenticated, the attack is straightforward: an attacker simply submits a crafted dataset creation or update request with parameters designed to assign the dataset to a different workspace or user. The low attack complexity and absence of user interaction requirements mean that exploitation can be automated. Detection by other workspace users may be delayed if audit logging is not comprehensive.

Remediation

Upgrade Flowise to version 3.1.2 or later immediately. This patch version includes corrected input validation and workspace boundary enforcement in dataset operations. Organizations should also review audit logs for evidence of unauthorized dataset modifications or creation events that span multiple workspaces, particularly if version 3.1.2 was deployed after the original publication date.

Patch guidance

Apply version 3.1.2 or any subsequent stable release from the flowiseai project. Verify the upgrade through the Flowise administration interface or API endpoint that reports version information. Test the patch in a non-production environment first, particularly if you have custom workflows or integrations that depend on dataset APIs. After patching, run a brief validation that authenticated users can only access datasets within their assigned workspaces. If running a containerized deployment, ensure your container image is rebuilt from the patched source or updated from a vendor-provided image registry.

Detection guidance

Monitor Flowise API logs and audit trails for dataset creation or update requests originating from unexpected user accounts or occurring outside normal business patterns. Look for POST or PUT requests to dataset endpoints that reference workspace identifiers that do not match the authenticated user's assigned workspace. If your Flowise instance logs HTTP request bodies, examine them for suspicious parameter injection attempts. Database audit logs (if enabled) should show unexpected INSERT or UPDATE operations on dataset metadata tables tied to cross-workspace modifications.

Why prioritize this

This vulnerability merits immediate patching due to its high CVSS score (8.8), the confluence of confidentiality, integrity, and availability impact, and the low barrier to exploitation for any authenticated user. Although it requires authentication, organizations cannot rely on user trustworthiness in shared or federated environments. The risk is especially acute if datasets contain training data for sensitive models, customer information, or proprietary business logic.

Risk score, explained

The CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H vector yields a score of 8.8 (HIGH). Attack Vector: Network (any authenticated user can exploit remotely). Attack Complexity: Low (no special conditions needed). Privileges Required: Low (standard user account sufficient). User Interaction: None (fully automated). Scope: Unchanged (impact is confined to Flowise datasets, not system-wide). Confidentiality: High (full dataset exposure possible). Integrity: High (datasets can be modified or deleted). Availability: High (datasets can be rendered inaccessible to rightful owners). The combination of three 'High' impact properties with low attack friction justifies the HIGH severity rating.

Frequently asked questions

Do I need a Flowise admin account to exploit this vulnerability?

No. The vulnerability can be exploited by any authenticated Flowise user, including standard users with minimal privileges. This makes it a significant insider or low-privilege attacker threat.

Will upgrading to 3.1.2 break my existing datasets or workflows?

Version 3.1.2 is a patch release that addresses input validation and workspace isolation. It should not alter the structure or operation of existing datasets. Always test in a staging environment first, but breaking changes are not expected.

How can I check if my Flowise instance has been compromised by this vulnerability?

Review audit logs for dataset operations that reference workspaces outside the attacker's account scope. Look for datasets with unexpected ownership changes or creation timestamps that correlate with suspicious user activity. If possible, compare dataset ownership records before and after the publication date of this CVE.

Is this vulnerability present in air-gapped or offline Flowise deployments?

The technical flaw exists in any version before 3.1.2, regardless of network connectivity. However, the threat model depends on your deployment: offline, single-user instances face minimal risk. Multi-user or multi-tenant deployments on internal networks remain vulnerable to authenticated internal users.

This analysis is provided for educational and defensive purposes. No proof-of-concept code or detailed exploitation steps are included. Security teams should verify all patch versions and vendor guidance directly against official Flowise release notes and advisories. CVSS scores and severity ratings reflect the CVSS 3.1 standard and should be contextualized within your organization's specific threat model, deployment architecture, and data sensitivity. Timelines for patch availability and adoption vary; consult your internal change management processes before deploying updates to production environments. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).