CVE-2026-41277

UNKNOWN 0.0

Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces. This vulnerability is fixed in 3.1.0.

CWE	CWE-284 CWE-639 CWE-915
Vendor	flowiseai
Product	flowise
Published	Apr 23, 2026

Stay Ahead of the Next One

Get instant alerts for flowiseai flowise

Be the first to know when new unknown vulnerabilities affecting flowiseai flowise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FlowiseAI / Flowise

< 3.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3prp-9gf7-4rxx