Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42862

CVE-2026-42862: Flowiseai Flowise Auth Bypass Vulnerability

CVE-2026-42862 is an authentication bypass flaw in Flowiseai Flowise that allows attackers to manipulate workspace assignments and break tenant isolation. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-42862 Overview

CVE-2026-42862 is a mass assignment vulnerability in FlowiseAI Flowise, a drag-and-drop interface for building large language model (LLM) flows. The flaw resides in the tool update endpoint, which fails to restrict server-controlled properties. Authenticated users can modify fields such as workspaceId, createdDate, and updatedDate when updating a tool resource. By manipulating workspaceId, an attacker reassigns tools to arbitrary workspaces and breaks tenant isolation in multi-workspace deployments. The issue affects all versions prior to 3.1.2 and is tracked under [CWE-284] Improper Access Control.

Critical Impact

Authenticated attackers can reassign tools across workspace boundaries, breaking tenant isolation in multi-tenant FlowiseAI deployments.

Affected Products

  • FlowiseAI Flowise versions prior to 3.1.2
  • Multi-workspace Flowise deployments
  • Self-hosted FlowiseAI instances exposing the tool update endpoint

Discovery Timeline

  • 2026-06-08 - CVE-2026-42862 published to NVD
  • 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-42862

Vulnerability Analysis

The vulnerability is a mass assignment flaw in the FlowiseAI tool update endpoint. The handler binds incoming request payloads directly to the tool model without filtering server-controlled fields. Authenticated users can therefore submit arbitrary values for workspaceId, createdDate, and updatedDate during an update operation.

Because Flowise relies on workspaceId to enforce tenant boundaries, overwriting that field reassigns the tool to a different workspace. In multi-tenant environments, this allows a user in workspace A to move their tool into workspace B, or to pivot a tool out of an isolated tenant. The result is a violation of authorization boundaries that Flowise is supposed to enforce at the data layer.

Exploitation requires only low-privileged authenticated access and a network path to the API. No user interaction is needed. The attack complexity is elevated because the attacker must know or guess a target workspaceId, but enumeration is feasible in shared deployments.

Root Cause

The root cause is the absence of server-side validation and authorization checks on the tool update endpoint. The endpoint accepts the full request body and writes it to the tool record without an allowlist of editable fields. Combined with missing authorization checks on the supplied workspaceId, this permits cross-tenant writes.

Attack Vector

The attack vector is network-based against the Flowise REST API. An authenticated attacker issues a tool update request containing a workspaceId value that points to a workspace they do not own. The server persists the change, and the tool is now visible and usable from the target workspace. See the GitHub Security Advisory GHSA-x5v6-pj28-cwwm for additional technical context.

Detection Methods for CVE-2026-42862

Indicators of Compromise

  • Tool update API calls containing workspaceId, createdDate, or updatedDate fields in the request body
  • Tool records whose workspaceId value changes unexpectedly between audit snapshots
  • Tools appearing in a workspace without a matching creation event in that workspace's logs
  • Authenticated API activity from user accounts referencing workspace identifiers outside their assigned tenant

Detection Strategies

  • Inspect HTTP request bodies sent to the Flowise tool update endpoint and alert on the presence of server-controlled fields
  • Compare current workspaceId values for tool records against historical baselines to identify reassignments
  • Correlate API authentication identity with the workspaceId referenced in update operations and flag mismatches

Monitoring Recommendations

  • Enable verbose application logging on Flowise API endpoints, capturing full request payloads for tool resources
  • Forward Flowise application and reverse proxy logs to a central log platform for cross-tenant anomaly analysis
  • Alert on bulk tool update activity originating from a single authenticated session within a short window

How to Mitigate CVE-2026-42862

Immediate Actions Required

  • Upgrade FlowiseAI Flowise to version 3.1.2 or later, which contains the official fix
  • Audit existing tool records and verify that each workspaceId matches the intended owning tenant
  • Rotate API tokens and review authenticated user accounts in multi-workspace deployments for suspicious activity

Patch Information

FlowiseAI released the fix in Flowise 3.1.2. The patch adds server-side validation and authorization checks on the tool update endpoint, preventing modification of workspaceId, createdDate, and updatedDate by clients. Operators should upgrade as the primary remediation. Full details are documented in the Flowise security advisory GHSA-x5v6-pj28-cwwm.

Workarounds

  • Restrict access to the Flowise tool update endpoint at the reverse proxy or API gateway until the upgrade is applied
  • Limit authenticated user accounts to single-workspace deployments where cross-tenant isolation is not required
  • Implement a request-body filter in front of Flowise that strips workspaceId, createdDate, and updatedDate fields from update requests
bash
# Configuration example: upgrade Flowise to the patched release
npm install -g flowise@3.1.2
# or, for Docker deployments
docker pull flowiseai/flowise:3.1.2
docker stop flowise && docker rm flowise
docker run -d --name flowise -p 3000:3000 flowiseai/flowise:3.1.2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne