{"vulnerability": "GHSA-59FH-9F3P-7M39", "sightings": [{"uuid": "43d30740-6aa0-4d26-8f28-c644148ee6c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-59FH-9F3P-7M39", "type": "seen", "source": "https://gist.github.com/alon710/0f9bb6ad84fa652e49398a6746f04f1f", "content": "# GHSA-59FH-9F3P-7M39: GHSA-59FH-9F3P-7M39: Mass Assignment in Flowise Profile Update Endpoint\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-20\n> **Full Report:** https://cvereports.com/reports/GHSA-59FH-9F3P-7M39\n\n## Summary\nA mass assignment vulnerability in the Flowise profile update endpoint allows authenticated users to directly modify their database records. By injecting the `credential` field into a `PUT` request, an attacker can overwrite their password hash, bypassing standard security controls and enabling persistent account access.\n\n## TL;DR\nFlowise versions prior to 3.1.2 fail to filter incoming data on the user profile update endpoint. Authenticated attackers can supply a `credential` parameter to overwrite their password hash directly, establishing persistence without knowing the current password.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-915\n- **Attack Vector**: Network\n- **CVSS v4.0**: 5.3\n- **Privileges Required**: Low\n- **Exploit Status**: Proof of Concept\n- **Authentication**: Required\n\n## Affected Systems\n\n- Flowise Platform\n- Node.js API Services using TypeORM\n- **Flowise**: < 3.1.2 (Fixed in: `3.1.2`)\n\n## Mitigation\n\n- Upgrade Flowise to version 3.1.2 or newer\n- Implement strict allowlisting on all API update endpoints\n- Deploy WAF rules blocking the 'credential' key in PUT requests to /api/v1/user\n\n**Remediation Steps:**\n1. Verify the current Flowise version in deployment environments\n2. Update the flowise npm package to >= 3.1.2\n3. Restart the application server to apply the updated code\n4. Review user account activity for unauthorized password modifications\n\n## References\n\n- [GitHub Advisory: Mass Assignment in Flowise](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-59fh-9f3p-7m39)\n- [OSV Record GHSA-59fh-9f3p-7m39](https://osv.dev/vulnerability/GHSA-59fh-9f3p-7m39)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-59FH-9F3P-7M39) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-21T06:10:50.000000Z"}]}