GHSA-HP26-Q66V-Q2W7

Vulnerability from github – Published: 2026-05-14 14:57 – Updated: 2026-05-14 20:55
VLAI
Summary
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
Details

Summary

A Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI.

The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource.

Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments.

Details

The endpoint responsible for updating assistants:

PUT /api/v1/assistants/{assistantId}

accepts a JSON request body containing assistant metadata.

However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.

Server-controlled fields that can be manipulated include:

  1. workspaceId
  2. createdDate
  3. updatedDate

These fields appear to be directly mapped to the underlying database entity without strict DTO whitelisting or authorization checks.

For example, the following request body was accepted:

{
  "details": "",
  "credential": "11ca7fef-c9b1-4c87-aa54-e547aed8a249",
  "iconSrc": null,
  "type": "CUSTOM",
  "createdDate": "2026-03-06T17:31:04.000Z",
  "updatedDate": "2026-03-06T17:31:55.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

This indicates that internal, server-controlled properties can be modified by an authenticated user.

PoC

  1. Authenticate to the Flowise interface.
  2. Capture the request used to update an assistant:
PUT /api/v1/assistants/<ASSISTANT_ID>
Content-Type: application/json

Modify the request body by injecting server-controlled fields:

{
  "details": "",
  "credential": "11ca7fef-c9b1-4c87-aa54-e547aed8a249",
  "iconSrc": null,
  "type": "CUSTOM",
  "createdDate": "2026-03-06T17:31:04.000Z",
  "updatedDate": "2026-03-06T17:31:55.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

3.Send the request.

Observe that the response accepts and persists the attacker-controlled workspaceId and metadata fields.

Impact

This vulnerability allows authenticated users to manipulate internal attributes of assistant resources.

Confirmed impacts include:

  • Cross-workspace reassignment of assistants (workspaceId)
  • Unauthorized modification of metadata (createdDate, updatedDate)

In multi-tenant deployments, this may allow an attacker to move assistants between workspaces without authorization, breaking tenant isolation boundaries.

Severity
7.6 (High)
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T14:57:46Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI.\n\nThe endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource.\n\nDue to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments.\n\n### Details\nThe endpoint responsible for updating assistants:\n\n**PUT /api/v1/assistants/{assistantId}**\n\naccepts a JSON request body containing assistant metadata.\n\nHowever, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.\n\nServer-controlled fields that can be manipulated include:\n\n1. workspaceId\n2. createdDate\n3. updatedDate\n\nThese fields appear to be directly mapped to the underlying database entity without strict DTO whitelisting or authorization checks.\n\nFor example, the following request body was accepted:\n\n```json\n{\n  \"details\": \"\",\n  \"credential\": \"11ca7fef-c9b1-4c87-aa54-e547aed8a249\",\n  \"iconSrc\": null,\n  \"type\": \"CUSTOM\",\n  \"createdDate\": \"2026-03-06T17:31:04.000Z\",\n  \"updatedDate\": \"2026-03-06T17:31:55.000Z\",\n  \"workspaceId\": \"11111111-2222-3333-4444-555555555555\"\n}\n```\n\nThis indicates that internal, server-controlled properties can be modified by an authenticated user.\n\n### PoC\n\n1. Authenticate to the Flowise interface.\n2. Capture the request used to update an assistant:\n\n```http\nPUT /api/v1/assistants/\u003cASSISTANT_ID\u003e\nContent-Type: application/json\n\nModify the request body by injecting server-controlled fields:\n\n{\n  \"details\": \"\",\n  \"credential\": \"11ca7fef-c9b1-4c87-aa54-e547aed8a249\",\n  \"iconSrc\": null,\n  \"type\": \"CUSTOM\",\n  \"createdDate\": \"2026-03-06T17:31:04.000Z\",\n  \"updatedDate\": \"2026-03-06T17:31:55.000Z\",\n  \"workspaceId\": \"11111111-2222-3333-4444-555555555555\"\n}\n\n```\n3.Send the request.\n\nObserve that the response accepts and persists the attacker-controlled workspaceId and metadata fields.\n\n### Impact\nThis vulnerability allows authenticated users to manipulate internal attributes of assistant resources.\n\nConfirmed impacts include:\n\n- Cross-workspace reassignment of assistants (workspaceId)\n- Unauthorized modification of metadata (createdDate, updatedDate)\n\nIn multi-tenant deployments, this may allow an attacker to move assistants between workspaces without authorization, breaking tenant isolation boundaries.",
  "id": "GHSA-hp26-q66v-q2w7",
  "modified": "2026-05-14T20:55:07Z",
  "published": "2026-05-14T14:57:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hp26-q66v-q2w7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.