GHSA-5WXP-QJGQ-FX6M

Vulnerability from github – Published: 2026-05-14 14:54 – Updated: 2026-05-14 14:54
VLAI
Summary
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
Details

Summary

A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI.

The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object.

Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings.

Details

The endpoint responsible for updating chatflows:

PUT /api/v1/chatflows/{chatflowId}

accepts a JSON request body containing the chatflow configuration (flowData) along with other metadata fields.

However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.

Examples of server-controlled fields that can be manipulated include:

  1. deployed
  2. isPublic
  3. workspaceId
  4. createdDate
  5. updatedDate
  6. category
  7. type

These fields appear to be directly mapped to the underlying database entity when processing the update request, suggesting that the server performs a direct merge of the request body into the chatflow model without applying a strict DTO whitelist or authorization checks.

For example, modifying the request body with:

{
  "deployed": true,
  "isPublic": true,
  "createdDate": "1999-03-06T10:59:32.000Z",
  "updatedDate": "1999-03-06T13:21:34.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

results in the server accepting and persisting these values.

In testing, a second workspace was created in the database and the workspaceId field was successfully modified through the API request. The chatflow was reassigned to the attacker-controlled workspace, confirming that the application does not enforce workspace ownership validation.

PoC

Authenticate to the Flowise interface.

Capture the request used to update a chatflow:

PUT /api/v1/chatflows/<CHATFLOW_ID>
Content-Type: application/json

Modify the request body by injecting additional fields:

{
  "name": "test-flow",
  "flowData": "{...}",
  "deployed": true,
  "isPublic": true,
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

Send the request.

Observe that the response returns the manipulated values:

{
  "deployed": true,
  "isPublic": true,
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

Verify in the database that the chatflow has been reassigned:

SELECT id, workspaceId FROM chat_flow WHERE id='<CHATFLOW_ID>';

The workspaceId value reflects the attacker-supplied workspace.

Impact

This vulnerability allows authenticated users to manipulate server-controlled attributes of chatflows.

Confirmed impacts include:

  • Unauthorized modification of chatflow visibility (isPublic)
  • Unauthorized deployment state changes (deployed)
  • Cross-workspace reassignment of chatflows (workspaceId)
  • Unauthorized modification of metadata (createdDate, updatedDate)

In multi-tenant environments, this allows an attacker to move chatflows between workspaces without authorization, breaking tenant isolation boundaries.

This may enable:

  • Cross-workspace workflow takeover
  • Unauthorized exposure of private workflows
  • Manipulation of deployed agent workflows

The issue stems from missing authorization checks and improper handling of client-controlled input in the chatflow update endpoint.

Severity
7.6 (High)
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T14:54:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI.\n\nThe endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object.\n\nDue to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings.\n\n### Details\nThe endpoint responsible for updating chatflows:\n\n**PUT /api/v1/chatflows/{chatflowId}**\n\naccepts a JSON request body containing the chatflow configuration (flowData) along with other metadata fields.\n\nHowever, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.\n\nExamples of server-controlled fields that can be manipulated include:\n\n1. deployed\n2. isPublic\n3. workspaceId\n4. createdDate\n5. updatedDate\n6. category\n7. type\n\nThese fields appear to be directly mapped to the underlying database entity when processing the update request, suggesting that the server performs a direct merge of the request body into the chatflow model without applying a strict DTO whitelist or authorization checks.\n\nFor example, modifying the request body with:\n\n```json\n{\n  \"deployed\": true,\n  \"isPublic\": true,\n  \"createdDate\": \"1999-03-06T10:59:32.000Z\",\n  \"updatedDate\": \"1999-03-06T13:21:34.000Z\",\n  \"workspaceId\": \"11111111-2222-3333-4444-555555555555\"\n}\n```\n\nresults in the server accepting and persisting these values.\n\nIn testing, a second workspace was created in the database and the workspaceId field was successfully modified through the API request. The chatflow was reassigned to the attacker-controlled workspace, confirming that the application does not enforce workspace ownership validation.\n\n\n### PoC\nAuthenticate to the Flowise interface.\n\nCapture the request used to update a chatflow:\n\n```http\nPUT /api/v1/chatflows/\u003cCHATFLOW_ID\u003e\nContent-Type: application/json\n\nModify the request body by injecting additional fields:\n\n{\n  \"name\": \"test-flow\",\n  \"flowData\": \"{...}\",\n  \"deployed\": true,\n  \"isPublic\": true,\n  \"workspaceId\": \"11111111-2222-3333-4444-555555555555\"\n}\n```\n\nSend the request.\n\nObserve that the response returns the manipulated values:\n\n```json\n{\n  \"deployed\": true,\n  \"isPublic\": true,\n  \"workspaceId\": \"11111111-2222-3333-4444-555555555555\"\n}\n```\n\nVerify in the database that the chatflow has been reassigned:\n\n```sql\nSELECT id, workspaceId FROM chat_flow WHERE id=\u0027\u003cCHATFLOW_ID\u003e\u0027;\n```\n\nThe workspaceId value reflects the attacker-supplied workspace.\n\n### Impact\nThis vulnerability allows authenticated users to manipulate server-controlled attributes of chatflows.\n\nConfirmed impacts include:\n\n- Unauthorized modification of chatflow visibility (isPublic)\n- Unauthorized deployment state changes (deployed)\n- Cross-workspace reassignment of chatflows (workspaceId)\n- Unauthorized modification of metadata (createdDate, updatedDate)\n\nIn multi-tenant environments, this allows an attacker to move chatflows between workspaces without authorization, breaking tenant isolation boundaries.\n\nThis may enable:\n\n- Cross-workspace workflow takeover\n- Unauthorized exposure of private workflows\n- Manipulation of deployed agent workflows\n\nThe issue stems from missing authorization checks and improper handling of client-controlled input in the chatflow update endpoint.",
  "id": "GHSA-5wxp-qjgq-fx6m",
  "modified": "2026-05-14T14:54:28Z",
  "published": "2026-05-14T14:54:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5wxp-qjgq-fx6m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.