CVE-2026-8027

MEDIUM 4.3

FlowiseAI Flowise User Controller authorization

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.

CWE	CWE-639 CWE-285
Vendor	flowiseai
Product	flowise
Published	May 6, 2026
Last Updated	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for flowiseai flowise

Be the first to know when new medium vulnerabilities affecting flowiseai flowise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

FlowiseAI / Flowise

3.0.0 3.0.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.0.7 3.0.8 3.0.9 3.0.10 3.0.11 3.0.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/361274 vuldb.com: https://vuldb.com/vuln/361274/cti vuldb.com: https://vuldb.com/submit/777657 gist.github.com: https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b

Credits

🔍 Eric-a (VulDB User)