How is CVE-2026-46480 exploited?

Network reachability (required): The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the Flowise service via HTTP. Authentication (required): A low-privilege account is sufficient; the attacker does not need administrative credentials to send the crafted evaluator payload. Victim interaction (not-required): No action from another user or workspace member is needed to complete the attack. Attack complexity (info): Base exploit logic is condition-free and reliable, though the CVSS AT:P token indicates that specific deployment conditions (such as multi-workspace configuration being active) must be present for the cross-workspace takeover to succeed.

What is the impact of CVE-2026-46480?

Reads evaluator configurations and associated data belonging to other workspaces. Overwrites or tampers with evaluator definitions in victim workspaces, corrupting LLM evaluation results. Denies availability of targeted evaluators, disrupting automated model evaluation pipelines in affected workspaces. Provides no confirmed lateral reach into systems outside the Flowise instance itself, based on the CVSS scope tokens.

Back to search

HIGHCVE-2026-46480Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-46480: Flowise: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A mass-assignment vulnerability in Flowise, the drag-and-drop LLM workflow builder, allows an authenticated attacker to take over evaluators belonging to other workspaces by sending crafted create or update requests. The vulnerability is reachable over the network and requires only a low-privilege account; no victim interaction is needed. Successful exploitation gives the attacker full read, write, and availability impact on the target evaluator resource. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix version is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46480 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Flowise images, in registries and CI pipelines.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.7 (High) and weighting it against each environment's compliance policy. Triage routing can direct alerts to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed release appears. Until then, customers can use HarborGuard's policy controls to flag or block deployment of affected image versions.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the Flowise service via HTTP.
AuthenticationRequired
A low-privilege account is sufficient; the attacker does not need administrative credentials to send the crafted evaluator payload.
Victim interactionNot required
No action from another user or workspace member is needed to complete the attack.
Attack complexityDetail
Base exploit logic is condition-free and reliable, though the CVSS AT:P token indicates that specific deployment conditions (such as multi-workspace configuration being active) must be present for the cross-workspace takeover to succeed.

Blast Radius

Reads evaluator configurations and associated data belonging to other workspaces.
Overwrites or tampers with evaluator definitions in victim workspaces, corrupting LLM evaluation results.
Denies availability of targeted evaluators, disrupting automated model evaluation pipelines in affected workspaces.
Provides no confirmed lateral reach into systems outside the Flowise instance itself, based on the CVSS scope tokens.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-46480 is active across all scanned environments, matching any image that packages an affected Flowise version below 3.1.2. Because no upstream fix version has been published yet, the patched-image rebuild flow is not yet available; HarborGuard will trigger that flow automatically once a fixed release is ingested. In the meantime, customers are encouraged to apply compensating controls through HarborGuard policy: network-policy rules can restrict which principals may reach Flowise API endpoints, and admission controls can be configured to alert or block deployment of the affected image tag. The advisory is re-evaluated on every ingest cycle, so customers with auto-remediation enabled will receive a rebuild, regression run, and PR against affected workloads without manual intervention the moment a patch is available upstream.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified