Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46441

CVE-2026-46441: Flowiseai Flowise Auth Bypass Vulnerability

CVE-2026-46441 is an authentication bypass flaw in Flowiseai Flowise that allows attackers to manipulate workspace assignments and break tenant isolation. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-46441 Overview

CVE-2026-46441 is a mass assignment vulnerability in FlowiseAI Flowise, a drag-and-drop interface for building large language model (LLM) workflows. Versions prior to 3.1.2 expose the assistant update endpoint to authenticated users without enforcing server-side validation on protected fields. Attackers can modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Manipulating workspaceId reassigns assistants to arbitrary workspaces, breaking tenant isolation in multi-workspace deployments. The vulnerability is categorized under CWE-284: Improper Access Control.

Critical Impact

Authenticated attackers can break tenant isolation by reassigning assistants across workspaces, exposing cross-tenant LLM resources in shared FlowiseAI deployments.

Affected Products

  • FlowiseAI Flowise versions prior to 3.1.2
  • Multi-workspace FlowiseAI deployments with authenticated users
  • Self-hosted Flowise instances exposing the assistant update API

Discovery Timeline

  • 2026-06-08 - CVE-2026-46441 published to NVD
  • 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-46441

Vulnerability Analysis

The vulnerability stems from the assistant update endpoint accepting client-supplied values for fields the server should control exclusively. Flowise binds incoming JSON payloads directly to the assistant model without filtering protected attributes. Authenticated users can therefore submit arbitrary values for workspaceId, createdDate, and updatedDate during an update operation.

In multi-tenant Flowise deployments, the workspaceId field anchors tenant isolation. Reassigning an assistant to another workspace allows an attacker to move resources out of their assigned tenant boundary. This subverts the access control model that workspace separation is designed to enforce.

Root Cause

The root cause is missing server-side authorization and field-level validation in the assistant update handler. The endpoint trusts the client request body and propagates all supplied keys into the persistence layer. No allow-list filters administrative or ownership fields before the database write.

Attack Vector

Exploitation requires network access to the Flowise API and valid authenticated credentials with permission to update at least one assistant. The attacker sends a PUT or PATCH request to the assistant update endpoint and includes a workspaceId field referencing a target workspace. The server commits the change without verifying the caller's authority over that workspace. The vulnerability is described in the GitHub Security Advisory GHSA-hp26-q66v-q2w7.

// No verified exploit code is publicly available.
// See the upstream advisory for technical details on the
// vulnerable assistant update endpoint and patched fields.

Detection Methods for CVE-2026-46441

Indicators of Compromise

  • Assistant records whose workspaceId does not match the workspace of the user who last updated them.
  • Unexpected changes to createdDate or updatedDate fields on assistant objects.
  • API requests to the assistant update endpoint containing workspaceId in the JSON body.
  • Audit log entries showing assistants appearing in or disappearing from workspaces without administrator action.

Detection Strategies

  • Inspect application and reverse-proxy logs for PUT or PATCH requests to assistant update routes that include privileged fields in the payload.
  • Query the Flowise database for assistants whose workspaceId does not align with their creator or original tenant context.
  • Compare the running Flowise version against 3.1.2 and flag any instance below that release.

Monitoring Recommendations

  • Forward Flowise application logs and API access logs to a centralized analytics platform for correlation across tenants.
  • Alert on anomalous workspace membership changes for assistant resources.
  • Monitor authenticated API traffic for clients sending unexpected fields such as workspaceId, createdDate, or updatedDate in update bodies.

How to Mitigate CVE-2026-46441

Immediate Actions Required

  • Upgrade Flowise to version 3.1.2 or later, as published in the Flowise 3.1.2 release notes.
  • Audit existing assistant records for unauthorized workspaceId reassignments and restore correct tenancy.
  • Rotate API tokens and review accounts that had write access to assistant resources during the exposure window.

Patch Information

FlowiseAI addressed the vulnerability in Flowise 3.1.2 by enforcing server-side validation that prevents client-supplied modification of workspaceId, createdDate, and updatedDate on the assistant update endpoint. Details are documented in the GitHub Security Advisory GHSA-hp26-q66v-q2w7.

Workarounds

  • Restrict access to the Flowise API to trusted administrators until the upgrade is completed.
  • Place Flowise behind a reverse proxy or API gateway that strips workspaceId, createdDate, and updatedDate from update request bodies.
  • Disable multi-workspace usage temporarily if tenant isolation is a hard requirement and patching is delayed.
bash
# Example: upgrade Flowise to the patched release
npm install -g flowise@3.1.2
pm2 restart flowise
flowise --version  # confirm 3.1.2 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne