Lucene search
K

27 matches found

NVD
NVD
added 6 days ago8 views

CVE-2026-56779

MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and downloadurl parameters. Attackers with default workspace USER role can...

6.4CVSS0.00171EPSS
Exploits0References3
EUVD
EUVD
added 6 days ago4 views

EUVD-2026-39527

MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and downloadurl parameters. Attackers with default workspace USER role can...

6.4CVSS6AI score0.00171EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/09 8:59 p.m.10 views

CVE-2026-42862

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

7.6CVSS5.5AI score0.00195EPSS
Exploits1References1
NVD
NVD
added 2026/06/08 4:16 p.m.9 views

CVE-2026-42862

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

7.6CVSS0.00195EPSS
Exploits1References2
CVE
CVE
added 2026/06/08 3:25 p.m.17 views

CVE-2026-42862

FlowiseAI (CVE-2026-42862) has a mass-assignment flaw in the tool update endpoint (PUT /api/v1/tools/{toolId}) that lets authenticated users modify server-controlled fields such as workspaceId, createdDate, and updatedDate without proper validation/authorization. This enables cross-workspace reas...

7.6CVSS5.5AI score0.00195EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/08 3:25 p.m.6 views

CVE-2026-42862

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

7.6CVSS5.5AI score0.00195EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/08 3:25 p.m.10 views

CVE-2026-42862 Flowise: Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

7.6CVSS5.5AI score0.00195EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/08 3:25 p.m.42 views

CVE-2026-42862 Flowise: Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

7.6CVSS0.00195EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/15 8:33 p.m.8 views

CVE-2026-45395 Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint POST /api/v1/tools/id/id/update is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been...

7.2CVSS6.2AI score0.00437EPSS
Exploits1References1
CVE
CVE
added 2026/05/15 8:33 p.m.20 views

CVE-2026-45395

Summary: CVE-2026-45395 (Open WebUI) is a missing authorization check on the tool update endpoint. Before 0.9.5, POST /api/v1/tools/id/{id}/update validates only a write-grant for the tool and does not enforce the workspace.tools permission, unlike the create endpoint which requires workspace.too...

7.2CVSS6.2AI score0.00437EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/05/15 8:33 p.m.43 views

CVE-2026-45395 Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint POST /api/v1/tools/id/id/update is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been...

7.2CVSS0.00437EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 8:33 p.m.13 views

EUVD-2026-30627

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint POST /api/v1/tools/id/id/update is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been...

7.2CVSS6.2AI score0.00437EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.8 views

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.5 contained security vulnerabilities. These vulnerabilities stemmed from a lack of workspace.tools permission checks at the tool update endpoint, which could allow...

7.2CVSS5.8AI score0.00437EPSS
Exploits1References2
Patchstack
Patchstack
added 2026/05/14 8:26 p.m.7 views

NPM: Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

NPM: Open WebUI: Missing workspace.tools Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution vulnerability discovered by ? in WordPress Npm open-webui versions 0.9.5...

7.2CVSS5.8AI score0.00437EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/14 8:26 p.m.7 views

GHSA-P4FX-23FQ-JFG6 Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

Summary The tool update endpoint POST /api/v1/tools/id/id/update is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities and who the administrator considers untrusted for code...

7.2CVSS6.4AI score0.00437EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/14 8:26 p.m.11 views

Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

Summary The tool update endpoint POST /api/v1/tools/id/id/update is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities and who the administrator considers untrusted for code...

7.2CVSS6.4AI score0.00437EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/14 2:52 p.m.6 views

GHSA-X5V6-PJ28-CWWM FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and...

7.6CVSS5.9AI score0.00195EPSS
Exploits1References4
Patchstack
Patchstack
added 2026/05/14 2:52 p.m.19 views

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

5.8AI score0.00195EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/14 2:52 p.m.13 views

FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and...

7.6CVSS5.9AI score0.00195EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.22 views

PT-2026-40976

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the tool update endpoint. This occurs when the server does not restrict which properties a client can modify, allowing user-controlled request bodies to include fiel...

7.6CVSS5.6AI score0.00195EPSS
Exploits1References7
Rows per page
Query Builder