7 matches found
CVE-2026-30822
CVE-2026-30822 (Flowise leads API) : The connected advisory documents reveal a mass assignment vulnerability in the public POST /api/v1/leads endpoint. The code copies all request properties to a Lead entity via Object.assign(newLead, body), which overwrites auto-generated fields like id (UUID), ...
CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...
CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...
Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields id, createdDate, chatId by including them in the request body. The endpoint uses Object.assign to copy all properties from the request body to the Lead entity...
GHSA-MQ4R-H2GH-QV7X Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields id, createdDate, chatId by including them in the request body. The endpoint uses Object.assign to copy all properties from the request body to the Lead entity...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the Object.assign function. An attacker can manipulate internal entity fields such as id, createdDate, and chatId by...
PT-2026-23788
Flowise and Affected Versions Flowise versions prior to 3.0.13 Description Flowise is a drag & drop user interface to build a customized large language model flow. A mass assignment issue exists in the /api/v1/leads endpoint, allowing unauthenticated users to control internal entity fields id,...