CVE-2026-46480: Flowiseai Flowise Auth Bypass Vulnerability

CVE-2026-46480 Overview

CVE-2026-46480 affects Flowise, a drag-and-drop interface for building large language model (LLM) workflows. Versions prior to 3.1.2 contain a mass-assignment flaw in the evaluator create and update endpoints. An authenticated attacker can supply unexpected fields during these operations to take over evaluators belonging to other workspaces. The maintainers patched the issue in Flowise 3.1.2. The flaw is tracked under [CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes].

Critical Impact
Authenticated users in one workspace can hijack evaluators owned by other workspaces, breaking tenant isolation and compromising the confidentiality, integrity, and availability of LLM evaluation data.

Affected Products

Flowise versions prior to 3.1.2
FlowiseAI Flowise self-hosted deployments
Multi-tenant Flowise instances exposing the evaluator API

Discovery Timeline

2026-06-08 - CVE-2026-46480 published to the National Vulnerability Database
2026-06-09 - Last updated in NVD database
Patch released - FlowiseAI published Flowise 3.1.2 with the fix and advisory GHSA-wxrr-jp8m-qq7f

Technical Details for CVE-2026-46480

Vulnerability Analysis

Flowise organizes LLM resources, including evaluators, into workspaces that should be isolated from one another. The evaluator create and update handlers accept request bodies and bind incoming fields directly to backend objects without restricting which attributes a caller can set. This mass-assignment pattern lets an authenticated user submit ownership or workspace identifier fields that the application then trusts. As a result, a low-privileged user can attach themselves to, or reassign ownership of, evaluators that belong to a different workspace. Because evaluators drive LLM output scoring and validation, takeover can lead to manipulated evaluation results, exfiltration of sensitive prompts or datasets, and disruption of dependent workflows.

Root Cause

The root cause is improperly controlled modification of dynamically determined object attributes [CWE-915]. The evaluator endpoints lack an allow-list of writable fields and do not validate that the target evaluator belongs to the caller's workspace before applying updates. The server merges client-supplied JSON into the persisted entity, allowing fields such as workspace identifiers or owner references to be overwritten.

Attack Vector

The attack vector is network-based and requires low-privileged authentication. An attacker sends a crafted HTTP request to the evaluator create or update API, including fields that reference another workspace's evaluator or that rewrite ownership metadata. No user interaction is required. Because the request looks like a legitimate API call, exploitation can occur from any client with valid Flowise credentials and network reachability to the management API.

No public proof-of-concept exploit code is currently available. Refer to the GitHub Security Advisory GHSA-wxrr-jp8m-qq7f for vendor-provided technical context.

Detection Methods for CVE-2026-46480

Indicators of Compromise

Evaluator records whose workspaceId or owner attributes changed without a corresponding administrative action.
HTTP POST or PUT requests to evaluator endpoints containing fields outside the documented schema, such as identifier or workspace fields.
Authenticated API sessions from one workspace producing successful writes that affect evaluators in another workspace.

Detection Strategies

Audit Flowise application logs for evaluator create and update calls, correlating the authenticated user's workspace with the target evaluator's workspace.
Compare evaluator inventories before and after the upgrade window to identify unexpected ownership transitions.
Inspect reverse proxy or API gateway logs for evaluator endpoint payloads containing unusual or undocumented JSON keys.

Monitoring Recommendations

Forward Flowise application and access logs to a centralized analytics platform and alert on cross-workspace evaluator modifications.
Track the running Flowise version across deployments and alert when instances older than 3.1.2 are exposed.
Monitor authentication and API usage patterns for unusual evaluator-related activity following credential issuance to new users.

How to Mitigate CVE-2026-46480

Immediate Actions Required

Upgrade Flowise to version 3.1.2 or later using the official release at Flowise Release 3.1.2.
Review existing evaluators for unauthorized ownership or workspace changes and restore them from a known-good backup if tampering is suspected.
Rotate API tokens and session credentials for users who may have exploited or been targeted by the flaw.

Patch Information

FlowiseAI released Flowise 3.1.2, which restricts the writable fields accepted by the evaluator create and update handlers and enforces workspace ownership checks. The fix and full advisory are documented in GHSA-wxrr-jp8m-qq7f and the Flowise 3.1.2 release notes.

Workarounds

Restrict network access to the Flowise management API to trusted administrators until the patch is applied.
Limit account provisioning so that only required users hold credentials capable of reaching the evaluator endpoints.
Place an API gateway in front of Flowise to strip unexpected fields from evaluator request bodies where feasible.

bash

# Upgrade Flowise to the patched version
npm install -g flowise@3.1.2

# Or for Docker deployments
docker pull flowiseai/flowise:3.1.2
docker stop flowise && docker rm flowise
docker run -d --name flowise -p 3000:3000 flowiseai/flowise:3.1.2