How is CVE-2026-46476 exploited?

Network reachability (required): The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the Flowise service remotely. Authentication (required): Any low-privilege Flowise account is sufficient; no administrative or elevated credentials are needed. Victim interaction (not-required): The attacker can carry out the takeover entirely on their own without any action from another user. Attack complexity (info): The base exploit is condition-free and reliable, though the CVSS vector notes an attack requirement (AT:P), meaning specific deployment conditions such as multi-workspace configuration must be present for the cross-workspace takeover to be meaningful.

What is the impact of CVE-2026-46476?

Reads the full content of CustomTemplates owned by other workspaces, exposing proprietary LLM flow definitions and any embedded credentials or prompts. Overwrites or corrupts CustomTemplates in other workspaces, breaking flows that other tenants depend on. Causes service disruption for affected workspaces if critical templates are deleted or replaced with malformed data. The confidentiality, integrity, and availability of tenant-scoped template data are all fully compromised on the vulnerable host.

Back to search

HIGHCVE-2026-46476Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-46476: Flowise: CustomTemplate create+update mass-assignment allows cross-workspace template takeover

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A mass-assignment vulnerability in Flowise, the drag-and-drop LLM flow builder, allows an authenticated attacker to set arbitrary ownership fields when creating or updating a CustomTemplate, overwriting templates that belong to other workspaces. The vulnerability is reachable over the network and requires only a low-privilege account. Successful exploitation lets the attacker read, modify, or corrupt templates owned by other tenants, effectively taking over cross-workspace resources. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Flowise images, in registries and CI/CD pipelines. Any image running a Flowise build earlier than the patched version will surface as affected.

Available

Triage

HarborGuard scores this finding at CVSS 7.7 (HIGH) and applies per-environment compliance policy weighting before routing the alert to the appropriate team inbox within each customer organization. Security and platform teams can immediately see which pipeline stages and registries contain affected images.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream release ships. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the Flowise service remotely.
AuthenticationRequired
Any low-privilege Flowise account is sufficient; no administrative or elevated credentials are needed.
Victim interactionNot required
The attacker can carry out the takeover entirely on their own without any action from another user.
Attack complexityDetail
The base exploit is condition-free and reliable, though the CVSS vector notes an attack requirement (AT:P), meaning specific deployment conditions such as multi-workspace configuration must be present for the cross-workspace takeover to be meaningful.

Blast Radius

Reads the full content of CustomTemplates owned by other workspaces, exposing proprietary LLM flow definitions and any embedded credentials or prompts.
Overwrites or corrupts CustomTemplates in other workspaces, breaking flows that other tenants depend on.
Causes service disruption for affected workspaces if critical templates are deleted or replaced with malformed data.
The confidentiality, integrity, and availability of tenant-scoped template data are all fully compromised on the vulnerable host.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every advisory ingest cycle because no upstream fix version has been published. In the meantime, customers running Flowise in multi-workspace deployments can apply compensating controls surfaced through HarborGuard policy annotations, including network-policy isolation to restrict which principals can reach the CustomTemplate API, egress filtering to limit lateral movement if the service is compromised, and feature-flag or API-gateway gating on template write endpoints. The moment FlowiseAI publishes a patched release, HarborGuard will make a rebuilt image available; for customers with auto-remediation enabled, this triggers a full regression run and a PR opened against affected workloads automatically.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified