CVE-2026-42862
MediumCVSS 5.0Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
In Flowise, prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint. This allows authenticated users to modify server-controlled properties, leading to a breach of tenant isolation in multi-workspace environments.
Risk Assessment
An attacker can manipulate the workspaceId field, allowing them to reassign tools to arbitrary workspaces, which jeopardizes data security and user isolation.
Recommendation
It is recommended to upgrade to version 3.1.2 or later to mitigate this vulnerability and implement additional server-side validation and authorization checks.
Original NVD description (English source)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.

