HIGH 8.8

CVE-2026-46479: Flowise Cross-Workspace Evaluation Takeover (High)

Flowise, a no-code platform for building customized LLM workflows, contains a privilege escalation vulnerability in its evaluation management system. Attackers with valid user credentials can modify evaluation records in ways that bypass workspace isolation, allowing them to view, edit, or delete evaluations belonging to other teams or organizations. The vulnerability stems from improper input validation in the create and update endpoints—a classic mass-assignment flaw. Version 3.1.2 and later patch this issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-915
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46479 is a cross-workspace evaluation takeover vulnerability affecting Flowise prior to version 3.1.2. The vulnerability exists in the evaluation creation and update endpoints, which fail to properly restrict user access to workspace-scoped resources. An authenticated attacker can craft API requests with modified evaluation parameters to access or manipulate evaluations outside their assigned workspace. The root cause is improper mass-assignment handling in the evaluation model, allowing direct manipulation of workspace associations. This is classified as CWE-915 (Improper Control of Dynamically-Managed Code Resources).

Business impact

For organizations using Flowise as a multi-tenant LLM orchestration platform, this vulnerability enables unauthorized cross-team data access and modification. A disgruntled employee or compromised account can disrupt or sabotage evaluation workflows belonging to other departments, alter LLM configurations that other teams depend on, and potentially exfiltrate sensitive prompts, datasets, or model outputs embedded in evaluations. In regulated industries (finance, healthcare), unauthorized access to evaluation data may trigger compliance violations. The impact is amplified in shared Flowise instances serving multiple business units.

Affected systems

Flowise versions prior to 3.1.2 are vulnerable. The vulnerability requires valid authentication to the Flowise platform, but does not require administrative privileges—any authenticated user can exploit it. This affects all Flowise deployments (cloud-hosted, self-managed, containerized) without regard to deployment method. The vulnerability does not require special network positioning; it is remotely exploitable from any endpoint with network access to the Flowise API.

Exploitability

This vulnerability has a CVSS v3.1 score of 8.8 (HIGH) due to its network-accessible attack vector, low attack complexity, and requirement for only low privileges (valid user login). No special conditions or user interaction are required—an authenticated attacker can immediately modify evaluations via direct API calls. However, the attacker must possess a valid Flowise account (acquired through legitimate onboarding or credential compromise). The risk is moderate in organizations with strong access controls and credential hygiene, but substantially higher in environments with shared logins or loose account provisioning.

Remediation

Upgrade Flowise to version 3.1.2 or later, which includes fixes to enforce workspace-level authorization checks in evaluation endpoints. Verify the patch is applied by checking the installed version in the Flowise admin interface or container image metadata. Organizations unable to upgrade immediately should implement network-level access controls restricting Flowise API access to trusted IP ranges and monitor evaluation modification logs for suspicious cross-workspace changes.

Patch guidance

Deploy Flowise 3.1.2 or a later stable release. If you maintain a containerized deployment, pull the updated image from the official Flowise registry and redeploy with updated image tags. If you run Flowise from source, update to the patched commit and rebuild. Verify the deployment by checking the version endpoint (typically /api/version or equivalent) and confirm it returns 3.1.2 or higher. Test evaluation creation and modification workflows in your staging environment before production rollout. No data migration or backward-compatibility issues are expected.

Detection guidance

Monitor Flowise API logs for evaluation update or create requests that reference workspace IDs inconsistent with the authenticated user's assigned workspace. Look for patterns of bulk evaluation enumeration or rapid modification of evaluations across multiple workspaces from a single account. Enable API request logging at the evaluation endpoint level and correlate logs with user activity during suspected breach windows. If available, use your SIEM to alert on evaluation API calls from user accounts outside normal business hours or from unexpected geographic origins.

Why prioritize this

This vulnerability merits immediate patching because it enables authenticated privilege escalation with high confidentiality, integrity, and availability impact. The CVSS score of 8.8 reflects the severity, and the fact that exploitation requires only a valid user account—not administrative access or external reconnaissance—lowers the barrier to abuse. It is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the combination of ease of exploitation and significant impact makes it a priority for patch deployment within 30 days.

Risk score, explained

The HIGH severity rating (CVSS 8.8) is driven by three factors: (1) network accessibility with no special conditions required, (2) requirement for only low privileges (standard user login), and (3) high impact across confidentiality, integrity, and availability—an attacker can read, modify, and delete evaluations. The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H reflects that while authentication is a gating factor, the scope is limited to the user's own system (S:U), meaning the attacker cannot pivot to other systems, but the impact within Flowise is complete.

Frequently asked questions

Do we need to patch immediately if our Flowise instance only has one workspace?

No. The vulnerability specifically enables cross-workspace takeover. If you have only a single workspace, an attacker still requires valid credentials but cannot exploit the mass-assignment flaw to escalate beyond their assigned roles. However, patching is still recommended as a preventive measure and to close the underlying authorization defect.

Can this vulnerability be exploited without valid credentials?

No. The CVSS vector includes PR:L (low privilege requirement), meaning an attacker must authenticate as a valid Flowise user. Compromised or shared credentials are the typical attack vector. Ensure credential hygiene and consider multi-factor authentication if supported.

How do we know if we've been exploited?

Check Flowise audit or API logs for evaluation modifications performed by user accounts that do not own those evaluations, or changes to workspace IDs in evaluation records. If you lack detailed API logging, upgrade to 3.1.2 and implement structured logging before attempting forensic review.

Does the patch require downtime?

Typically no. Most Flowise deployments can be updated with a rolling restart or by redeploying a new container image. However, verify your specific deployment architecture; if you run a single-instance setup, a brief restart may be necessary.

This analysis is based on publicly available information as of the publication date and is provided for informational purposes only. Verify all patch versions, CVSS scores, and affected product details against the official vendor advisory and Flowise release notes. Organizations should conduct their own risk assessment and testing before deploying patches. SEC.co makes no warranty regarding the accuracy or completeness of this information and assumes no liability for decisions made on the basis of this analysis. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).