How is CVE-2026-46479 exploited?

Network reachability (required): The attacker must reach the Flowise API over the network; the service must be exposed to the attacker's network path. Authentication (required): A low-privilege Flowise account is sufficient; no admin or elevated role is needed to trigger the mass-assignment flaw. Victim interaction (not-required): No action from another user or admin is needed; the attacker exploits the endpoint directly. Attack complexity (info): Exploitation requires a specific precondition to be met (AT:P), such as the target evaluation existing in a reachable workspace context, but the attack itself is otherwise condition-free once that precondition holds.

What is the impact of CVE-2026-46479?

The attacker reads evaluation data belonging to other workspaces, including any stored prompts, outputs, and test results. The attacker overwrites or corrupts evaluation records in foreign workspaces, tampers with scoring results, and injects malicious content into evaluation datasets. The attacker deletes or disrupts evaluation objects, causing denial of service for teams relying on those evaluations in their LLM development workflows. Cross-workspace access breaks tenant isolation, meaning a compromise by any low-privilege user can affect every workspace whose evaluations are reachable through the mass-assignment endpoint.

Back to search

HIGHCVE-2026-46479Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-46479: Flowise: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Mass-assignment vulnerability in Flowise, the drag-and-drop LLM flow builder, allows an authenticated attacker to take over evaluations belonging to other workspaces. The flaw is reachable over the network and requires only a low-privilege account; no victim interaction is needed. Successful exploitation gives the attacker full read, write, and denial-of-service capability over the targeted evaluation objects. A patched-image rebuild at version 3.1.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46479 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Flowise images. Any image running a Flowise version below 3.1.2 is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at 7.7 HIGH using the CVSS v4.0 vector and weights that score against each environment's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules for the affected service.

Available

Patch

A patched-image rebuild at Flowise 3.1.2 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Flowise API over the network; the service must be exposed to the attacker's network path.
AuthenticationRequired
A low-privilege Flowise account is sufficient; no admin or elevated role is needed to trigger the mass-assignment flaw.
Victim interactionNot required
No action from another user or admin is needed; the attacker exploits the endpoint directly.
Attack complexityDetail
Exploitation requires a specific precondition to be met (AT:P), such as the target evaluation existing in a reachable workspace context, but the attack itself is otherwise condition-free once that precondition holds.

Blast Radius

The attacker reads evaluation data belonging to other workspaces, including any stored prompts, outputs, and test results.
The attacker overwrites or corrupts evaluation records in foreign workspaces, tampers with scoring results, and injects malicious content into evaluation datasets.
The attacker deletes or disrupts evaluation objects, causing denial of service for teams relying on those evaluations in their LLM development workflows.
Cross-workspace access breaks tenant isolation, meaning a compromise by any low-privilege user can affect every workspace whose evaluations are reachable through the mass-assignment endpoint.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against scanned images within minutes of ingestion, and a rebuild at Flowise 3.1.2 is available for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with remediation guidance pointing to the 3.1.2 upgrade. As an interim compensating control, network policy rules that restrict access to the Flowise API to trusted principals only reduce exposure until the patched image is deployed.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified