HIGH 8.8

CVE-2026-46480: Flowise Mass-Assignment Vulnerability Allows Cross-Workspace Evaluator Takeover

Flowise, a no-code platform for building customized large language model workflows, contains a privilege escalation vulnerability in its evaluator management feature. An authenticated attacker can exploit improper input validation during evaluator creation or updates to gain unauthorized access to evaluators across different workspaces. This allows an attacker to take over evaluators belonging to other users or teams, potentially manipulating AI workflow logic and data without authorization. The vulnerability requires an existing login but no elevated privileges to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-915
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46480 is a mass-assignment vulnerability affecting Flowise versions prior to 3.1.2. The evaluator create and update endpoints fail to properly validate or restrict which workspace-scoped resources a user can modify. An authenticated user can supply additional parameters during API requests to modify evaluators outside their workspace context, resulting in cross-workspace access and control. The vulnerability is classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), a pattern where applications allow attackers to set arbitrary object properties via request parameters without sufficient authorization checks.

Business impact

Successful exploitation enables unauthorized modification of evaluator configurations across organizational boundaries within a Flowise instance. An attacker could alter AI evaluation logic, redirect outputs, access sensitive prompts or model configurations, or sabotage workflows used by other teams. For organizations using Flowise to manage production LLM pipelines, this represents a significant integrity and confidentiality risk. Multi-tenant deployments are especially vulnerable, as compromise of one workspace does not require breaking authentication—only leveraging existing credentials to exceed intended scope.

Affected systems

Flowise versions before 3.1.2 are affected. The vulnerability impacts the evaluator management subsystem, which may be used in any Flowise deployment, particularly those supporting multiple workspaces or teams. Organizations running Flowise with shared environments, API integrations, or user-created flows that depend on evaluators are at highest risk. The issue does not affect Flowise 3.1.2 and later.

Exploitability

This vulnerability has a high exploitability profile. It requires only valid user credentials—no special access level, no interaction with other users, and no complex manipulation. An attacker with a standard user account can craft API requests with modified parameters to access and modify evaluators in other workspaces. The attack is straightforward to automate and difficult to detect without detailed API logging. No known public exploit has been referenced in KEV; however, the technical simplicity makes weaponization trivial once the vulnerability is disclosed.

Remediation

Upgrade Flowise to version 3.1.2 or later, which patches the mass-assignment vulnerability by implementing proper authorization controls on evaluator endpoints. The patch enforces workspace-scoped access validation, ensuring users can only view and modify evaluators within their assigned workspace. Organizations should verify against the Flowise release notes to confirm the update version deployed in their environment.

Patch guidance

Apply Flowise version 3.1.2 or higher. Before upgrading, test the new version in a staging environment to ensure compatibility with existing workflows and integrations. Document any custom evaluators or extensions in use, as the patch may affect their behavior if they rely on undocumented parameter handling. After deployment, audit workspace membership and evaluator ownership to detect any unauthorized changes that may have occurred during the vulnerability window.

Detection guidance

Monitor Flowise API logs for evaluator create and update requests originating from users outside the target evaluator's workspace. Look for requests to `/evaluators` endpoints with workspace IDs that do not match the authenticated user's assigned workspaces. Enable verbose logging on the evaluator subsystem and review for suspicious parameter values or batch operations. Implement alerting on cross-workspace resource modification attempts. Organizations using intrusion detection systems should correlate Flowise logs with network activity to identify lateral movement patterns.

Why prioritize this

This vulnerability scores 8.8 (HIGH) because it requires only low-privilege authentication to achieve high-impact outcomes: confidentiality, integrity, and availability of evaluators and their associated workflows can all be compromised. The attack surface is accessible to any user with credentials, including contractors, partners, or compromised accounts with minimal privileges. In multi-tenant or shared Flowise instances, the blast radius is potentially organization-wide. Although no active exploitation is currently tracked in KEV, the simplicity of the attack and sensitivity of LLM configurations warrant immediate patching.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: (AV:N) network-accessible API requiring no special network positioning; (AC:L) low complexity—standard HTTP requests with modified parameters; (PR:L) low privilege—any authenticated user; (UI:N) no user interaction needed; (S:U) impact isolated to the application scope; (C:H/I:H/A:H) complete compromise of evaluator confidentiality, integrity, and availability. The metric combination elevates the score despite the authentication requirement because the privilege level needed is minimal and the impact on targeted resources is complete.

Frequently asked questions

Does this vulnerability affect Flowise if it is air-gapped or on-premises?

Yes. The vulnerability depends on authentication and API access, not internet connectivity. Any Flowise deployment—cloud, on-premises, or air-gapped—that supports multiple users or workspaces is at risk. Upgrade to 3.1.2 regardless of deployment model.

Can an attacker without credentials exploit this vulnerability?

No. The vulnerability requires valid Flowise login credentials. However, it does not require elevated privileges—a standard user account is sufficient. If your organization has many users or third-party integrations with Flowise access, the attack surface is correspondingly larger.

Will patching Flowise to 3.1.2 disrupt my existing evaluators or workflows?

The patch enforces proper authorization controls but should not alter evaluator functionality. Test in a non-production environment first to confirm compatibility with your custom configurations. If you have evaluators that were created before the patch and now appear inaccessible, review workspace assignments to ensure the owner's account still has access to the correct workspace.

How can I detect if this vulnerability has been exploited in my Flowise instance?

Review API access logs and audit trails for evaluator modifications by users outside their home workspace. Check evaluator ownership and configuration changes during the vulnerability window (before 3.1.2 deployment). If you lack detailed logs, upgrade immediately and then audit evaluator integrity afterward.

This analysis is provided for informational purposes. No exploit code or weaponized proof-of-concept is included. Organizations should validate all patch versions and compatibility against official Flowise release notes and their vendor advisories. Testing should be performed in non-production environments before production deployment. SEC.co does not warrant the accuracy or completeness of this analysis and recommends consulting Flowise documentation and your organization's security team for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).