76 matches found
CVE-2026-8028
A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/services/account.service.ts of the component Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is...
CVE-2026-8027
A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated...
CVE-2026-8026
A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched...
FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and...
PT-2026-43619
Threat Intel May 26, 2026 Vulnerability Intelligence Briefing Curated from daily vulnerability intelligence monitoring and exploitation telemetry analysis by cvelogic. --- 1. Known Exploited Vulnerabilities CISA KEV CVE-2026-48172 LiteSpeed cPanel Plugin Added to the CISA KEV catalog following...
NPM: FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
NPM: FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
NPM: FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
NPM: FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
NPM: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
NPM: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
NPM: FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
NPM: FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
GHSA-78PR-C5X5-JGGC FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Assistant entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/assistants/index.ts Root cause: The Assistant controller/service construct...
NPM: FlowiseAI: Vector Store No Permission Checks
NPM: FlowiseAI: Vector Store No Permission Checks vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
NPM: FlowiseAI Vulnerable to Credential Data Leak
NPM: FlowiseAI Vulnerable to Credential Data Leak vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
NPM: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
NPM: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
Summary A Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation...
FlowiseAI Exposes Basic Auth Credentials via API
Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Severity | Medium | | CWE | CWE-522 Insufficiently Protected Credentials | | Location | packages/server/src/enterprise/controllers/account.controller.ts:128-135 | | Practical Exploitability | Medium | | Developer Approv...
NPM: FlowiseAI Exposes Basic Auth Credentials via API
NPM: FlowiseAI Exposes Basic Auth Credentials via API vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes over the /api/v1/chatflows endpoint. A user can gain unauthorized access to and modify sensitive attributes, such as deployment...
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and...
GHSA-X5V6-PJ28-CWWM FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and...
NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...