CVE-2026-42862

UNKNOWN 0.0

Flowise: Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignment

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.

CWE	CWE-284 CWE-639 CWE-915
Vendor	flowiseai
Product	flowise
Published	Jun 8, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for flowiseai flowise

Be the first to know when new unknown vulnerabilities affecting flowiseai flowise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FlowiseAI / Flowise

< 3.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x5v6-pj28-cwwm github.com: https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2