How is CVE-2026-42863 exploited?

Network reachability (required): The chatflow update endpoint is exposed over the network, so an attacker must be able to reach the Flowise service via HTTP to send the malicious request. Authentication (required): Any low-privilege account is sufficient; the attacker needs valid credentials to call the chatflow update endpoint but does not need admin rights. Victim interaction (not-required): The attacker sends a crafted API request directly; no action from another user or administrator is needed to complete the exploit. Attack complexity (info): Attack complexity is rated High, meaning the exploit depends on environmental conditions or timing factors beyond the attacker's direct control, such as knowing a target workspaceId.

What is the impact of CVE-2026-42863?

Reads sensitive chatflow configurations, including internal deployment state and visibility settings, belonging to other workspaces. Modifies the workspaceId field to reassign a chatflow to an arbitrary workspace, breaking tenant isolation. Tampers with the isPublic and deployed fields to change whether a chatflow is publicly accessible or actively serving traffic without authorization.

Back to search

HIGHCVE-2026-42863Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-42863: Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings. This issue has been patched in version 3.1.2.

CVSS v4.0: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A mass assignment vulnerability in FlowiseAI's Flowise chatflow update endpoint allows an authenticated user to overwrite server-controlled fields such as workspaceId, deployed, isPublic, createdDate, and updatedDate. The endpoint is reachable over the network and requires only a low-privilege account, with no interaction from any other user needed. Successful exploitation lets an attacker reassign a chatflow to a different workspace and manipulate deployment and visibility settings without authorization. A patched-image rebuild at version 3.1.2 is available on HarborGuard for environments running an affected version of Flowise.

HarborGuard Coverage

Detection

Detection of CVE-2026-42863 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Flowise images, in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.6 (High) and weighting it against each environment's compliance policy to surface the finding to the appropriate team inbox. Per-environment policy controls allow routing and prioritization without requiring manual triage steps.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix is released. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression run and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The chatflow update endpoint is exposed over the network, so an attacker must be able to reach the Flowise service via HTTP to send the malicious request.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker needs valid credentials to call the chatflow update endpoint but does not need admin rights.
Victim interactionNot required
The attacker sends a crafted API request directly; no action from another user or administrator is needed to complete the exploit.
Attack complexityDetail
Attack complexity is rated High, meaning the exploit depends on environmental conditions or timing factors beyond the attacker's direct control, such as knowing a target workspaceId.

Blast Radius

Reads sensitive chatflow configurations, including internal deployment state and visibility settings, belonging to other workspaces.
Modifies the workspaceId field to reassign a chatflow to an arbitrary workspace, breaking tenant isolation.
Tampers with the isPublic and deployed fields to change whether a chatflow is publicly accessible or actively serving traffic without authorization.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42863 is active across scanning pipelines, matched against any image that bundles Flowise below version 3.1.2. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix is released upstream. For customers with auto-remediation enabled, that rebuild will trigger a regression run and a PR against affected workloads automatically. In the interim, compensating controls worth considering include network-policy isolation to restrict which internal services and users can reach the Flowise API, egress filtering to limit lateral movement from a compromised Flowise instance, and feature-flag or reverse-proxy gating on the chatflow update endpoint to enforce stricter field-level validation at the perimeter while the upstream patch is pending.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified