How is CVE-2026-46441 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Flowise service via HTTP. Authentication (required): A low-privilege authenticated account is sufficient; no administrative privileges are needed to reach the vulnerable endpoint. Victim interaction (not-required): The attacker sends a crafted API request directly; no victim action or social engineering is involved. Attack complexity (info): Attack complexity is rated High, meaning the attacker may need to satisfy specific environmental or timing conditions, such as knowledge of target workspace identifiers, to complete the reassignment.

What is the impact of CVE-2026-46441?

Reads assistant configurations and associated LLM flow data belonging to other workspace tenants, breaching cross-tenant confidentiality. Reassigns assistants across workspace boundaries, corrupting resource ownership and disrupting expected tenant isolation in multi-workspace deployments. Manipulates server-controlled metadata fields such as createdDate and updatedDate, undermining audit trails and data integrity for affected resources.

Back to search

HIGHCVE-2026-46441Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-46441: Flowise: Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.

CVSS v4.0: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A mass assignment vulnerability in Flowise allows authenticated users to overwrite server-controlled fields, including workspaceId, on the assistant update endpoint. The flaw is reachable over the network and requires only a low-privilege account; no additional victim interaction is needed. Successful exploitation lets an attacker reassign assistants to arbitrary workspaces, breaking tenant isolation and exposing or corrupting resources belonging to other workspace tenants. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Flowise images, in registries and CI/CD pipelines. Any image shipping an affected Flowise version below 3.1.2 is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS 4.0 7.6 (High) and applies each customer environment's compliance policy weighting to prioritize routing. Triage tickets are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a confirmed fix. In the interim, customers can use HarborGuard's network-policy isolation controls and egress filtering recommendations to reduce exposure while awaiting the patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Flowise service via HTTP.
AuthenticationRequired
A low-privilege authenticated account is sufficient; no administrative privileges are needed to reach the vulnerable endpoint.
Victim interactionNot required
The attacker sends a crafted API request directly; no victim action or social engineering is involved.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker may need to satisfy specific environmental or timing conditions, such as knowledge of target workspace identifiers, to complete the reassignment.

Blast Radius

Reads assistant configurations and associated LLM flow data belonging to other workspace tenants, breaching cross-tenant confidentiality.
Reassigns assistants across workspace boundaries, corrupting resource ownership and disrupting expected tenant isolation in multi-workspace deployments.
Manipulates server-controlled metadata fields such as createdDate and updatedDate, undermining audit trails and data integrity for affected resources.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against all scanned Flowise images and flagged at High severity in the findings dashboard. Because no upstream fix version exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically when FlowiseAI publishes a confirmed fix. While waiting for an upstream patch, customers can apply compensating controls through HarborGuard's policy engine: restrict inbound network access to the Flowise API to known trusted CIDR ranges, enable egress filtering to limit lateral movement, and where possible gate the assistant update endpoint behind stricter authorization via a reverse proxy or feature-flag configuration. For customers who opt into auto-remediation, a rebuild, regression-test run, and pull request against affected workloads will be triggered automatically as soon as a fix version is available, with median time from CVE publication to merged patch PR for High-severity issues around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified