CVE-2026-42861 Flowise: Mass Assignment in Variable Update Endpoint Allows Cross-Workspace Resource Reassignment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

CVE-2026-42861

Summary: CVE-2026-42861 affects Flowise (pre-3.1.2) with a mass assignment flaw in the variable update endpoint. What’s vulnerable: the PUT /api/v1/variables/{variableId} endpoint allows authenticated users to modify server-controlled fields (workspaceId, createdDate, updatedDate) by submitting t...

Flowise 访问控制错误漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.2 contained a access control vulnerability. This vulnerability stemmed from a lack of server-side verification and authorization checks at the tool’s update...

Flowise 访问控制错误漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.2 contained a access control vulnerability. This vulnerability stemmed from a lack of server-side verification and authorization checks at the variable update...

Flowise 访问控制错误漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.2 contained a access control vulnerability. This vulnerability stemmed from insufficient server-side verification and authorization checks at the chat stream upda...

CVE-2026-30950

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the sessionid of another user's session,...

CLSA-2026-1779372207 curl: Fix of CVE-2026-7168

CVE-2026-7168: clear proxy Digest auth state when CURLOPTPROXY is reassigned to a different proxy host on the same easy handle so a stale Proxy-Authorization header is not replayed to the new proxy...

CVE-2026-30950 AutoGPT has Authenticated Session Hijacking via IDOR

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the sessionid of another user's session,...

PT-2026-41739

Name of the Vulnerable Software and Affected Versions AutoGPT versions 0.6.36 through 0.6.50 Description AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. The software is subject to Authenticated Session Hijacking via Insecu...

NPM: FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

NPM: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

NPM: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and...

GHSA-6FW7-3Q8R-M5VJ FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation an...

NPM: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

PT-2026-40977

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the chatflow update endpoint. This occurs when an application takes user-provided data and applies it to an internal object without sufficient filtering, allowing...

DRUPAL-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

PT-2026-40836

Name of the Vulnerable Software and Affected Versions Node View Permissions versions 0.0.0 through 1.6.x Node View Permissions versions 2.0.0 through 2.0.0 Description An improper check for unusual or exceptional conditions in the Node View Permissions module allows forceful browsing. The module...

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

SUSE CVE-2026-43078

In the Linux kernel, the following vulnerability has been resolved: crypto: afalg - Fix page reassignment overflow in afalgpulltsgl When page reassignment was added to afalgpulltsgl the original loop wasn't updated so it may try to reassign one more page than necessary. Add the check to the...