51 matches found
CVE-2026-42863
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic,...
CVE-2026-42863
Summary. FlowiseAI’s Flowise product has a mass-assignment vulnerability in the chatflow update endpoint that lets an authenticated user modify server-controlled fields (deployed, isPublic, workspaceId, createdDate, updatedDate, etc.) and reassign a chatflow to another workspace. The issue stems ...
CVE-2026-42863
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic,...
CVE-2026-42863 Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic,...
EUVD-2026-35106
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic,...
CVE-2026-41273
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public...
CVE-2026-41279
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, th...
CVE-2026-41278
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...
PT-2026-45175
🔒 CyberSecurity CVE-2024-36791: Flowise RCE Exploitation — Detection and Hardening Guide "Flowise servers face critical RCE via malicious chatflow imports. Immediate patching required to…" 🔗 https://t.co/VV0BIHRBy9 CyberSecurity ThreatIntel cve zeroday patchtuesday...
Incorrect Authorization
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Incorrect Authorization through the getChatflowByApiKey handler in the chatflow API and the getChatflowByApiKey query in the chatflow service. An attacker can retrieve chatflows from other workspaces by...
GHSA-C2C9-MFW7-P8HW Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
Summary The /api/v1/chatflows/apikey/:apikey endpoint whitelisted, accessible with API key auth only returns all chatflows bound to the provided API key AND all chatflows across the entire system that have no API key assigned. This crosses workspace boundaries, allowing a user in Workspace A who...
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
Summary The /api/v1/chatflows/apikey/:apikey endpoint whitelisted, accessible with API key auth only returns all chatflows bound to the provided API key AND all chatflows across the entire system that have no API key assigned. This crosses workspace boundaries, allowing a user in Workspace A who...
GHSA-5WXP-QJGQ-FX6M FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes over the /api/v1/chatflows endpoint. A user can gain unauthorized access to and modify sensitive attributes, such as deployment...
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side...
NPM: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
NPM: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
PT-2026-40977
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the chatflow update endpoint. This occurs when an application takes user-provided data and applies it to an internal object without sufficient filtering, allowing...
CVE-2026-41269
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally...
CVE-2026-41278
Flowise CVE-2026-41278 affects public data exposure in the Flowise UI. Prior to version 3.1.0, GET /api/v1/public-chatflows/:id returned unsanitized chatflow objects; the released v3.0.13 Docker image lacked sanitizeFlowDataForPublicEndpoint. Both public-chatflows and public-chatbotConfig returne...
EUVD-2026-25290
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public...