How is CVE-2026-46478 exploited?

Network reachability (required): The vulnerable API endpoint is exposed over the network, so an attacker must be able to reach the Flowise service directly. Authentication (required): A low-privilege account is sufficient; no admin credentials are needed to submit malicious mass-assignment payloads. Victim interaction (not-required): The attacker acts entirely through their own authenticated API requests and does not need any other user to take any action. Attack complexity (info): Base exploit logic is straightforward, though the CVSS vector notes an attack requirement (AT:P), meaning specific deployment or configuration conditions must be present for the cross-workspace takeover to succeed.

What is the impact of CVE-2026-46478?

Reads DatasetRow contents belonging to other workspaces, potentially exposing training data, prompt datasets, or sensitive LLM pipeline inputs. Overwrites or tampers with DatasetRow records in other workspaces, corrupting datasets used to drive LLM flows. Disrupts the availability of targeted DatasetRows, breaking downstream LLM pipeline runs that depend on those records. Cross-workspace boundary violation allows lateral movement across tenant data within the same Flowise deployment.

Back to search

HIGHCVE-2026-46478Published 2026-06-08Modified 2026-06-09CNA GitHub_M

CVE-2026-46478: Flowise: DatasetRow create+update mass-assignment allows cross-workspace row takeover

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A mass-assignment vulnerability in Flowise, the drag-and-drop LLM flow builder, allows an authenticated attacker to create or update DatasetRow records across workspace boundaries. The flaw is reachable over the network and requires only a low-privilege account, with no special conditions beyond an existing authenticated session. Successful exploitation gives the attacker full read, write, and availability control over targeted rows in other workspaces. A patched-image rebuild at version 3.1.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46478 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Flowise images, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.7 HIGH and weighting it against each environment's compliance policy to surface it to the appropriate team inbox within the customer org.

Available

Patch

Because version 3.1.2 contains the upstream fix, a patched-image rebuild at that version becomes available on HarborGuard for any environment found running an affected image. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable API endpoint is exposed over the network, so an attacker must be able to reach the Flowise service directly.
AuthenticationRequired
A low-privilege account is sufficient; no admin credentials are needed to submit malicious mass-assignment payloads.
Victim interactionNot required
The attacker acts entirely through their own authenticated API requests and does not need any other user to take any action.
Attack complexityDetail
Base exploit logic is straightforward, though the CVSS vector notes an attack requirement (AT:P), meaning specific deployment or configuration conditions must be present for the cross-workspace takeover to succeed.

Blast Radius

Reads DatasetRow contents belonging to other workspaces, potentially exposing training data, prompt datasets, or sensitive LLM pipeline inputs.
Overwrites or tampers with DatasetRow records in other workspaces, corrupting datasets used to drive LLM flows.
Disrupts the availability of targeted DatasetRows, breaking downstream LLM pipeline runs that depend on those records.
Cross-workspace boundary violation allows lateral movement across tenant data within the same Flowise deployment.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against all scanned images within minutes of advisory ingestion, so any image carrying a Flowise version below 3.1.2 surfaces immediately in scan results. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image at the patched version 3.1.2, execute a regression run, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that require manual review before patching, the finding is routed through normal triage queues with the CVSS 7.7 HIGH score attached. As an interim compensating control while remediation is reviewed, network policy rules that restrict which authenticated users can reach the DatasetRow create and update endpoints, combined with workspace-level egress filtering, reduce the exposure window until the patched image is deployed.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified