CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2 days ago•3 views

CVE-2026-42863

Exploits0References3Affected Software1

CVE•added 2 days ago•6 views

CVE-2026-42863

Summary. FlowiseAI’s Flowise product has a mass-assignment vulnerability in the chatflow update endpoint that lets an authenticated user modify server-controlled fields (deployed, isPublic, workspaceId, createdDate, updatedDate, etc.) and reassign a chatflow to another workspace. The issue stems ...

Vulnrichment•added 2 days ago•3 views

CVE-2026-42863 Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment

Cvelist•added 2 days ago•35 views

CVE-2026-42863 Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment

7.6CVSS0.00049EPSS

EUVD•added 2 days ago•6 views

EUVD-2026-35106

RedhatCVE•added 5 days ago•7 views

CVE-2026-41273

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public...

8.2CVSS5.4AI score0.0021EPSS

RedhatCVE•added 5 days ago•6 views

CVE-2026-41279

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, th...

8.2CVSS5.4AI score0.00124EPSS

RedhatCVE•added 5 days ago•6 views

CVE-2026-41278

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

8.7CVSS5.4AI score0.00034EPSS

Positive Technologies•added 2026/05/31 12:0 a.m.•10 views

PT-2026-45175

🔒 CyberSecurity CVE-2024-36791: Flowise RCE Exploitation — Detection and Hardening Guide "Flowise servers face critical RCE via malicious chatflow imports. Immediate patching required to…" 🔗 https://t.co/VV0BIHRBy9 CyberSecurity ThreatIntel cve zeroday patchtuesday...

5.8AI score

Exploits0References1

Snyk•added 2026/05/20 3:45 p.m.•8 views

Incorrect Authorization

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Incorrect Authorization through the getChatflowByApiKey handler in the chatflow API and the getChatflowByApiKey query in the chatflow service. An attacker can retrieve chatflows from other workspaces by...

7.1CVSS5.8AI score

OSV•added 2026/05/20 3:45 p.m.•2 views

GHSA-C2C9-MFW7-P8HW Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

Summary The /api/v1/chatflows/apikey/:apikey endpoint whitelisted, accessible with API key auth only returns all chatflows bound to the provided API key AND all chatflows across the entire system that have no API key assigned. This crosses workspace boundaries, allowing a user in Workspace A who...

5.3CVSS5.8AI score

Github Security Blog•added 2026/05/20 3:45 p.m.•14 views

Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

5.8AI score

Exploits0References2Affected Software1

OSV•added 2026/05/14 2:54 p.m.•2 views

GHSA-5WXP-QJGQ-FX6M FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side...

7.6CVSS5.7AI score0.00049EPSS

Exploits0References4

Snyk•added 2026/05/14 2:54 p.m.•5 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes over the /api/v1/chatflows endpoint. A user can gain unauthorized access to and modify sensitive attributes, such as deployment...

7.6CVSS5.8AI score0.00049EPSS

Exploits0References3

Github Security Blog•added 2026/05/14 2:54 p.m.•10 views

FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

7.6CVSS5.7AI score0.00049EPSS

Exploits0References4Affected Software1

Patchstack•added 2026/05/14 2:54 p.m.•8 views

NPM: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

NPM: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

5.8AI score0.00049EPSS

Exploits0References3Affected Software1

Positive Technologies•added 2026/05/14 12:0 a.m.•7 views

PT-2026-40977

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the chatflow update endpoint. This occurs when an application takes user-provided data and applies it to an internal object without sufficient filtering, allowing...

7.6CVSS5.5AI score0.00049EPSS

Exploits0References5

RedhatCVE•added 2026/04/24 7:23 p.m.•1 views

CVE-2026-41269

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally...

8.8CVSS5.6AI score0.00146EPSS