Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42863

CVE-2026-42863: Flowiseai Flowise Auth Bypass Vulnerability

CVE-2026-42863 is an authentication bypass flaw in Flowiseai Flowise that allows mass assignment attacks on chatflow endpoints. Attackers can modify server properties and reassign resources across workspaces. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-42863 Overview

CVE-2026-42863 is a mass assignment vulnerability in FlowiseAI Flowise, a drag-and-drop interface for building large language model (LLM) workflows. The chatflow update endpoint allows authenticated clients to modify server-controlled properties including deployed, isPublic, workspaceId, createdDate, and updatedDate. The endpoint lacks server-side validation and authorization checks, enabling cross-workspace resource reassignment and unauthorized changes to deployment and visibility settings. The flaw is classified under [CWE-284] (Improper Access Control) and affects Flowise versions prior to 3.1.2.

Critical Impact

Authenticated users can reassign chatflows to other workspaces and toggle deployment or public visibility, breaking tenant isolation in multi-workspace Flowise deployments.

Affected Products

  • FlowiseAI Flowise versions prior to 3.1.2
  • Self-hosted Flowise deployments exposing the chatflow update endpoint
  • Multi-workspace Flowise installations relying on workspace-level isolation

Discovery Timeline

  • 2026-06-08 - CVE-2026-42863 published to NVD
  • 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-42863

Vulnerability Analysis

The vulnerability resides in the chatflow update endpoint of FlowiseAI. The endpoint binds incoming request payloads directly to the chatflow object without filtering server-controlled fields. An authenticated user can submit a request that includes fields the application should never accept from clients, such as workspaceId, deployed, isPublic, createdDate, and updatedDate.

Because the server lacks both attribute-level validation and ownership authorization, the request is persisted as-is. The result is a classic mass assignment flaw [CWE-284] enabling privilege and scope manipulation through trusted API surfaces. Exploitation requires only valid authenticated session credentials and network access to the Flowise API.

Root Cause

The root cause is missing allowlist filtering on the update handler combined with absent authorization checks tying the modified chatflow to the requester's workspace. Server-managed metadata fields are exposed to client input rather than being set exclusively by application logic.

Attack Vector

The attack is delivered over the network against the chatflow update API. An authenticated user crafts an HTTP request containing additional JSON properties such as workspaceId set to a target workspace, isPublic set to true, or deployed set to true. The server applies these properties to the chatflow record, allowing the attacker to migrate resources between tenants and expose private chatflows publicly.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-5wxp-qjgq-fx6m for vendor technical details.

Detection Methods for CVE-2026-42863

Indicators of Compromise

  • Chatflow records with workspaceId values that no longer match the original owning workspace or the requesting user's workspace membership.
  • Unexpected transitions of deployed or isPublic flags to true outside of normal administrative activity.
  • updatedDate or createdDate values that differ from server-observed timestamps in audit logs.

Detection Strategies

  • Inspect HTTP PUT or PATCH requests to the chatflow update endpoint for payloads containing workspaceId, deployed, isPublic, createdDate, or updatedDate fields.
  • Compare application-layer audit logs against database state to identify chatflows whose workspace ownership changed without a corresponding administrative action.
  • Correlate authenticated user sessions with chatflow modification events across workspace boundaries.

Monitoring Recommendations

  • Enable verbose API request logging on the Flowise reverse proxy or application gateway to retain full JSON bodies for update calls.
  • Alert on any chatflow becoming publicly accessible (isPublic=true) and require a manual review workflow.
  • Track per-user rates of chatflow updates and flag anomalies that suggest enumeration or bulk reassignment.

How to Mitigate CVE-2026-42863

Immediate Actions Required

  • Upgrade Flowise to version 3.1.2 or later, which contains the vendor patch addressing the mass assignment flaw.
  • Audit existing chatflows for unauthorized changes to workspaceId, deployed, and isPublic fields and revert any unauthorized modifications.
  • Rotate API tokens and session secrets for users who had access to vulnerable instances.

Patch Information

The vendor patched the issue in Flowise 3.1.2. Release details are available in the GitHub Flowise Release 3.1.2 notes and the GitHub Security Advisory GHSA-5wxp-qjgq-fx6m.

Workarounds

  • Restrict access to the Flowise application to trusted users via network controls or an authenticating reverse proxy until patching is complete.
  • Place an API gateway or WAF rule in front of the chatflow update endpoint to strip disallowed fields such as workspaceId, deployed, isPublic, createdDate, and updatedDate from request bodies.
  • Limit chatflow update privileges to a smaller set of administrative accounts where feasible.
bash
# Configuration example: upgrade Flowise to the patched release
npm install -g flowise@3.1.2
pm2 restart flowise

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne