How is CVE-2026-46475 exploited?

Network reachability (required): The attacker must reach the Flowise API over the network; the service must be exposed to an internet or internal network endpoint. Authentication (required): A low-privilege account is sufficient; the attacker only needs any valid Flowise user credential to send the malformed mass-assignment request. Victim interaction (not-required): No victim action is needed; the attacker submits the crafted request directly without relying on a user to click a link or take any other step. Attack complexity (info): The exploit has a prerequisite timing or environmental condition (AT:P) meaning specific attack requirements must align, though the base complexity is low once those conditions are met.

What is the impact of CVE-2026-46475?

Reads all data stored in assistant objects belonging to other workspaces, including prompts, configuration, and any linked credentials. Overwrites or corrupts assistant configurations in victim workspaces, redirecting LLM behavior or destroying pipeline logic. Causes denial of service for victim workspace users by corrupting or deleting the assistants those workspaces depend on. Grants persistent cross-workspace control by reassigning assistant ownership, allowing the attacker to maintain access beyond the initial exploit.

Back to search

HIGHCVE-2026-46475Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-46475: Flowise: Assistant create+update mass-assignment allows cross-workspace assistant takeover

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Mass-assignment vulnerability in Flowise, a drag-and-drop LLM workflow builder, allows an authenticated attacker to overwrite assistant objects belonging to other workspaces. The flaw is reachable over the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives the attacker full read, write, and disruption control over targeted assistants across workspace boundaries. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Flowise images, in both registry scans and active CI/CD pipeline checks.

Available

Triage

HarborGuard scores this finding at CVSS 7.7 HIGH and weights it against each environment's compliance policy to determine urgency, then routes the alert to the appropriate team inbox within the customer org.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment FlowiseAI releases a remediated version. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as that image becomes buildable.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Flowise API over the network; the service must be exposed to an internet or internal network endpoint.
AuthenticationRequired
A low-privilege account is sufficient; the attacker only needs any valid Flowise user credential to send the malformed mass-assignment request.
Victim interactionNot required
No victim action is needed; the attacker submits the crafted request directly without relying on a user to click a link or take any other step.
Attack complexityDetail
The exploit has a prerequisite timing or environmental condition (AT:P) meaning specific attack requirements must align, though the base complexity is low once those conditions are met.

Blast Radius

Reads all data stored in assistant objects belonging to other workspaces, including prompts, configuration, and any linked credentials.
Overwrites or corrupts assistant configurations in victim workspaces, redirecting LLM behavior or destroying pipeline logic.
Causes denial of service for victim workspace users by corrupting or deleting the assistants those workspaces depend on.
Grants persistent cross-workspace control by reassigning assistant ownership, allowing the attacker to maintain access beyond the initial exploit.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-46475 has been published, HarborGuard monitors the FlowiseAI advisory on every ingest cycle and will surface a patched-image rebuild the moment version 3.1.2 or later appears in upstream sources. In the meantime, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict Flowise API exposure to trusted internal CIDRs only, egress filtering to limit workspace-to-workspace API paths, and flagging any image running an affected Flowise version for mandatory review before deployment. For customers with auto-remediation enabled, the rebuild plus regression run and PR against affected workloads will be triggered automatically with no manual step required once the fix ships.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified