How is CVE-2026-46477 exploited?

Network reachability (required): The attacker must reach the Flowise API over the network; the service must be exposed to the attacker's network segment. Authentication (required): A low-privilege Flowise account is sufficient; no administrative or elevated permissions are needed. Victim interaction (not-required): No user interaction is required; the attacker acts entirely through their own crafted requests. Attack complexity (info): Base exploit reliability is high, though AT:P indicates a specific deployment condition (such as multi-workspace configuration) must be present for the cross-workspace takeover to succeed.

What is the impact of CVE-2026-46477?

Attacker reads dataset contents belonging to other workspaces, including any training data, prompts, or user-supplied records stored there. Attacker overwrites or reassigns dataset records in victim workspaces, corrupting LLM pipeline inputs or substituting malicious data. Attacker can render datasets unavailable to their legitimate workspace owners, disrupting active LLM flows that depend on them.

Back to search

HIGHCVE-2026-46477Published 2026-06-08Modified 2026-06-09CNA GitHub_M

CVE-2026-46477: Flowise: Dataset create+update mass-assignment allows cross-workspace dataset takeover

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2.

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A mass-assignment vulnerability in Flowise, the drag-and-drop LLM flow builder, allows an authenticated attacker to reassign or take over datasets belonging to other workspaces by injecting unexpected fields into dataset create or update requests. The attack is reachable over the network and requires only a low-privilege account within the application. Successful exploitation gives the attacker full read, write, and denial-of-service capability over victim workspace datasets. A patched-image rebuild at version 3.1.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46477 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built Flowise images. Any image carrying a Flowise version below 3.1.2 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.7 HIGH and weights it against each customer environment's compliance policy to determine urgency and routing. The finding is directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Flowise 3.1.2 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests against the new image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Flowise API over the network; the service must be exposed to the attacker's network segment.
AuthenticationRequired
A low-privilege Flowise account is sufficient; no administrative or elevated permissions are needed.
Victim interactionNot required
No user interaction is required; the attacker acts entirely through their own crafted requests.
Attack complexityDetail
Base exploit reliability is high, though AT:P indicates a specific deployment condition (such as multi-workspace configuration) must be present for the cross-workspace takeover to succeed.

Blast Radius

Attacker reads dataset contents belonging to other workspaces, including any training data, prompts, or user-supplied records stored there.
Attacker overwrites or reassigns dataset records in victim workspaces, corrupting LLM pipeline inputs or substituting malicious data.
Attacker can render datasets unavailable to their legitimate workspace owners, disrupting active LLM flows that depend on them.

How HarborGuard Handles This

Available on HarborGuard: detection coverage for CVE-2026-46477 is active across all customer pipelines, matching images against the affected version range (Flowise below 3.1.2) within minutes of the advisory entering upstream feeds. A patched rebuild at version 3.1.2 is available for any environment where an affected image is found. For customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression test run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or deployment constraints prevent immediate auto-remediation, compensating controls worth considering include restricting Flowise API access to trusted internal network segments via network policy, enforcing egress filtering to limit lateral movement if a takeover occurs, and auditing dataset ownership records for unexpected cross-workspace assignments until the patched image is deployed.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified