NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

GHSA-X5V6-PJ28-CWWM FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/v1/variables endpoint. A user can modify internal attributes such as workspaceId, createdDate, and updatedDate by...

GHSA-6FW7-3Q8R-M5VJ FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation an...

FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation an...

NPM: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

PT-2026-41212

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the dataset create and update processes. The application uses Object.assign to copy the request body into a Dataset entity without an explicit field allowlist,...

PT-2026-40977

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the chatflow update endpoint. This occurs when an application takes user-provided data and applies it to an internal object without sufficient filtering, allowing...

PT-2026-40976

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the tool update endpoint. This occurs when the server does not restrict which properties a client can modify, allowing user-controlled request bodies to include fiel...

PT-2026-40975

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the variable update endpoint '/api/v1/variables/variableId'. This allows authenticated users to modify server-controlled properties by including them in the JSON...

PT-2026-41210

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the assistant create and update processes. The application uses Object.assign to copy the request body into the Assistant entity without an explicit field allowlist,...

PT-2026-41215

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the evaluator create and update processes. The server uses Object.assign to copy the request body into the Evaluator entity without an explicit field allowlist,...

PT-2026-41206

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the assistant update endpoint. This occurs when the server does not restrict which properties can be modified by the client, allowing user-controlled request bodies ...

PT-2026-41190

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5 Description A missing authorization check in the tool update endpoint "POST /api/v1/tools/id/id/update" allows users to bypass the workspace.tools security boundary. While the tool creation endpoint correctly...

PT-2026-41189

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5 Description An issue exists where users granted read access to a model can also read the model's system prompt, which may contain confidential information. This occurs because the workspace model edit page...

PT-2026-41213

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the DatasetRow create and update processes. The application uses Object.assign to copy the request body into the DatasetRow entity without an explicit field allowlis...

PT-2026-41214

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the evaluation create and update processes. The server uses Object.assign to copy the request body into the Evaluation entity without an explicit field allowlist,...

PT-2026-41211

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the CustomTemplate create and update processes. The application uses Object.assign to copy the request body into a CustomTemplate entity without an explicit field...

CVE-2026-42463

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR Insecure Direct Object Reference and Authorization Bypass vulnerability in the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema...

CVE-2026-42463 SQLBot: Unauthorized Access Vulnerability

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR Insecure Direct Object Reference and Authorization Bypass vulnerability in the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema...