CVE-2026-46478: Flowise DatasetRow Mass-Assignment Cross-Workspace Takeover (8.8 HIGH)
Flowise, a popular drag-and-drop interface for building customized language model workflows, contains a privilege escalation flaw in its DatasetRow functionality. Before version 3.1.2, an authenticated attacker could manipulate how new dataset rows are created or updated, allowing them to inject or modify rows belonging to other workspaces. This mass-assignment vulnerability effectively grants an attacker control over another organization's data within the same Flowise deployment, provided they have valid login credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-915
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46478 is a mass-assignment vulnerability (CWE-915) in Flowise prior to 3.1.2 that affects the DatasetRow creation and update endpoints. The vulnerability allows an authenticated user to specify parameters that should be restricted by the application, enabling them to modify the workspace association or ownership of dataset rows. An attacker with valid credentials can craft requests that assign or transfer rows across workspace boundaries, bypassing intended isolation controls. The issue stems from insufficient input validation and parameter filtering on the affected API endpoints.
Business impact
This vulnerability poses significant risk to multi-tenant Flowise deployments. An attacker with a valid user account in one workspace could compromise confidentiality and integrity of another organization's dataset rows. In environments where Flowise is used to manage sensitive training data, prompts, or evaluation datasets for language model pipelines, unauthorized cross-workspace access could expose proprietary information, alter model training inputs, or disrupt AI/ML operations. Organizations running shared or SaaS-style Flowise instances face elevated exposure.
Affected systems
Flowise versions prior to 3.1.2 are affected. The vulnerability requires authentication, so it does not impact unauthenticated or disconnected deployments. Organizations running Flowise in multi-user or multi-tenant configurations are at highest risk; single-user or air-gapped instances face reduced practical exposure.
Exploitability
Exploitation requires valid Flowise credentials, making this a low-barrier attack for internal threats or compromised user accounts. The attack vector is network-accessible, requires minimal user interaction, and does not depend on race conditions or complex prerequisites. An attacker can exploit this without administrative rights, using standard API calls to move or modify dataset rows. No known public exploit code is referenced in the CISA KEV catalog, but the straightforward nature of mass-assignment attacks means weaponized proof-of-concept code could emerge rapidly post-disclosure.
Remediation
Organizations must upgrade Flowise to version 3.1.2 or later. This patch implements proper parameter validation and workspace isolation controls to prevent cross-workspace row modification. Patches should be deployed to all affected instances, including development, staging, and production environments. Post-patch verification should confirm that dataset rows remain isolated by workspace and that authenticated users cannot modify rows outside their assigned scope.
Patch guidance
Upgrade Flowise to version 3.1.2 or any release published after the patch date (verify against the vendor advisory for the exact versioning scheme and any additional fixes bundled in that release). If operating on a version prior to 3.1.2, prioritize this upgrade in your next maintenance window. Review any vendor guidance on potential data inconsistencies or rollback procedures, as the patch may affect how existing cross-workspace rows are handled. Test the upgrade in a non-production environment first to confirm compatibility with custom workflows or integrations.
Detection guidance
Monitor API logs for DatasetRow create and update requests, particularly those originating from users outside the expected workspace context. Look for requests containing workspace identifiers that do not match the authenticated user's home workspace. Implement log aggregation for API endpoint access patterns and flag any attempts to modify rows with workspace IDs different from the user's primary assignment. Review audit trails for unexpected ownership changes or transfers of dataset rows between workspaces. Alerting on cross-workspace modifications to sensitive datasets is recommended.
Why prioritize this
This vulnerability scores 8.8 (HIGH) due to its network accessibility, low complexity, and high impact on confidentiality, integrity, and availability. Authentication is required but is a realistic prerequisite in multi-tenant deployments where users often have access across environments. The ability to corrupt or exfiltrate another organization's data from the same Flowise instance warrants priority treatment, especially if the deployment hosts sensitive model training data or evaluation datasets.
Risk score, explained
The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network accessibility (AV:N), no special conditions required for exploitation (AC:L), and a requirement for valid credentials (PR:L). The impact is high across all three security properties: confidentiality (data exfiltration), integrity (unauthorized modification), and availability (potential disruption via data corruption). The score of 8.8 correctly represents a serious but not critical flaw, since exploitation requires prior authentication and does not cross trust boundaries outside a single deployment.
Frequently asked questions
Does this vulnerability require administrative access to exploit?
No. The vulnerability can be exploited by any authenticated user with valid credentials to the Flowise instance, regardless of their role or permission level within their own workspace.
Are single-user Flowise deployments at risk?
Single-user instances where only one person has credentials are not practical targets for this vulnerability. The risk is highest in multi-user or multi-tenant deployments where multiple authenticated accounts exist.
What should I do if I suspect my Flowise instance has been compromised via this vulnerability?
Immediately upgrade to version 3.1.2 or later, rotate credentials for all affected users, review audit logs for suspicious DatasetRow modifications, and verify the integrity of dataset rows across all workspaces. Consider whether any training data or prompts may have been exfiltrated or altered.
Is this vulnerability included in CISA's Known Exploited Vulnerabilities (KEV) catalog?
As of the patch date, this vulnerability is not listed in the CISA KEV catalog, meaning no active exploitation in the wild has been confirmed. However, organizations should not delay patching based on this status, as exploitation could begin at any time.
This analysis is provided for informational purposes and should not be construed as official vulnerability guidance. Organizations must verify all patch versions and compatibility details against the official vendor advisory before deploying updates. CVSS scores and KEV status are accurate as of the publication date and may change. No exploit code or weaponized proof-of-concept is provided herein. Security teams should test patches in controlled environments and consult vendor documentation for their specific deployment architecture. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42863HIGHFlowiseAI Mass Assignment Vulnerability in Chatflow Update Endpoint
- CVE-2026-46475HIGHFlowise Mass-Assignment Privilege Escalation (v3.1.2 Patch)
- CVE-2026-46476HIGHFlowise Cross-Workspace Template Takeover Vulnerability
- CVE-2026-46477HIGHFlowise Dataset Cross-Workspace Takeover (CVSS 8.8)
- CVE-2026-46479HIGHFlowise Cross-Workspace Evaluation Takeover (High)
- CVE-2026-46480HIGHFlowise Mass-Assignment Vulnerability Allows Cross-Workspace Evaluator Takeover
- CVE-2026-42862MEDIUMFlowise Mass Assignment Vulnerability Breaks Workspace Isolation
- CVE-2026-42540MEDIUMIRIS Insecure Direct Object Reference API Vulnerability (CWE-915)