SB2026051873 - Multiple vulnerabilities in Flowise

Description

This security bulletin contains information about 20 vulnerabilities.

1) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-46480)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to modify evaluator ownership across workspaces and take over evaluator data.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the Evaluator controller/service when handling create and update requests. A remote user can send a crafted request with a modified workspaceId value to modify evaluator ownership across workspaces and take over evaluator data.

Exploitation requires an authenticated session with permission to update the source evaluator, and target workspace identifiers can be obtained from API responses.

2) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-46479)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to modify evaluation ownership across workspaces and disclose or alter evaluation data.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in packages/server/src/services/evaluations/index.ts when handling create or update requests for Evaluation entities. A remote user can send a crafted request containing a manipulated workspaceId to modify evaluation ownership across workspaces and disclose or alter evaluation data.

Exploitation requires an authenticated session with permission to update the source evaluation, and workspace identifiers can be obtained from API responses.

3) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-46477)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to modify dataset ownership across workspaces and disclose or alter dataset contents.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the dataset service when handling create or update requests. A remote user can send a crafted request containing a workspaceId value to modify dataset ownership across workspaces and disclose or alter dataset contents.

Exploitation requires an authenticated session with permission to update the source dataset, and target workspace identifiers can be obtained from API responses.

4) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-46478)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to modify dataset rows across workspace boundaries and disclose sensitive information.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the DatasetRow create and update service in packages/server/src/services/dataset/index.ts when handling crafted API requests that mass-assign request body fields onto DatasetRow entities. A remote user can send a specially crafted request with a client-controlled workspaceId or datasetId to modify dataset rows across workspace boundaries and disclose sensitive information.

Exploitation requires an authenticated session with permission to edit the source dataset row, and workspace identifiers can be obtained from API responses.

5) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-46476)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to modify custom templates across workspace boundaries.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the CustomTemplate create and update logic in packages/server/src/services/marketplaces/index.ts when handling crafted API requests. A remote user can send a crafted request with a user-controlled workspaceId to modify custom templates across workspace boundaries.

Exploitation requires an authenticated session with permission to update the source custom template, and target workspace identifiers can be obtained from API responses.

6) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-46475)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to take over assistants across workspaces.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the assistants service when handling create and update requests. A remote user can send a crafted request with a modified workspaceId value to take over assistants across workspaces.

Exploitation requires an authenticated session with permission to update the source assistant, and target workspace identifiers can be enumerated from API responses.

7) Missing Authorization (CVE-ID: CVE-2026-46444)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to access, modify, delete, and upload files to vector stores.

The vulnerability exists due to improper access control in the OpenAI Assistants Vector Store CRUD endpoints when handling API requests to /api/v1/openai-assistants-vector-store. A remote user can send crafted requests to access, modify, delete, and upload files to vector stores.

The affected routes lack checkAnyPermission() middleware on create, update, delete, and file upload operations.

8) Information disclosure (CVE-ID: CVE-2026-46443)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the credentials service when handling requests with a credentialName filter parameter. A remote user can send a specially crafted request with the filter parameter to disclose sensitive information.

The response may include the encryptedData field for stored credentials, such as API keys, passwords, and tokens.

9) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information across workspace boundaries.

The vulnerability exists due to improper access control in the /api/v1/chatflows/apikey/:apikey endpoint when handling requests without the keyonly query parameter. A remote user can send a request with a valid API key to disclose sensitive information across workspace boundaries.

The response can include full chatflow objects for unprotected chatflows from other workspaces, including flowData, chatbotConfig, apiConfig, text-to-speech and speech-to-text configuration, analytics configuration, and credential IDs.

10) Improper access control (CVE-ID: CVE-2026-46442)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code on the host system.

The vulnerability exists due to improper access control in POST /api/v1/node-custom-function when handling authenticated requests that submit user-supplied JavaScript to the Custom JS Function node. A remote user can send a specially crafted request to execute arbitrary code on the host system.

Exploitation requires the NodeVM fallback path to be used, which occurs when E2B_APIKEY is not configured.

11) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: N/A)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify restricted user fields and bypass password change verification.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the PUT /api/v1/user endpoint when handling authenticated profile update requests. A remote user can send a crafted request body containing a credential value to modify restricted user fields and bypass password change verification.

The issue is limited to modification of the authenticated user's own account because the controller checks that the supplied id matches the current user.

12) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-42861)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to reassign variable resources to arbitrary workspaces and modify metadata fields.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the variable update endpoint when processing JSON update requests. A remote user can send a crafted PUT request with attacker-controlled internal properties to reassign variable resources to arbitrary workspaces and modify metadata fields.

This may break tenant isolation in multi-workspace environments.

13) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-46441)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify assistant resources across workspaces and alter protected metadata.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the assistant update endpoint when handling crafted update requests. A remote user can send a specially crafted PUT request to modify assistant resources across workspaces and alter protected metadata.

In multi-workspace deployments, exploitation can break tenant isolation by reassigning an assistant to an arbitrary workspace.

14) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-42862)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify tool resources across workspace boundaries.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the tool update endpoint when handling crafted PUT requests to /api/v1/tools/{toolId}. A remote user can supply server-controlled fields such as workspaceId, createdDate, and updatedDate to modify tool resources across workspace boundaries.

This breaks tenant isolation in multi-workspace environments.

15) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-42863)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify chatflow attributes across workspaces.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the chatflow update endpoint when handling crafted PUT requests to /api/v1/chatflows/{chatflowId}. A remote user can send a crafted JSON request body with server-controlled fields to modify chatflow attributes across workspaces.

In multi-tenant environments, exploitation can break tenant isolation boundaries by reassigning a chatflow to another workspace and changing its visibility or deployment state.

16) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in the MCP command validation logic when processing custom MCP server command configurations. A remote user can supply a crafted command such as a docker build invocation to execute arbitrary code.

Exploitation requires a Flowise account or an API key with view and update permissions for chatflows, and the target environment must have the docker command available.

17) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in the MCP command validation logic when processing custom MCP server command configurations. A remote user can provide npx arguments using the --yes alias to execute arbitrary code.

Exploitation requires a Flowise account or an API key with view and update permissions for chatflows, and the target environment must have the npx command available.

18) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in validateArgsForLocalFileAccess when validating node command arguments for local file access. A remote user can provide a crafted path beginning with // to execute arbitrary code.

Exploitation requires a Flowise account. The issue stems from an absolute-path check that fails to block paths beginning with a double slash.

19) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to abuse stored credentials to generate speech cross-origin.

The vulnerability exists due to improper access control in the TTS generation endpoint when handling cross-origin requests. A remote attacker can send a request from any webpage to abuse stored credentials to generate speech cross-origin.

The issue bypasses the server's otherwise restrictive default CORS policy.

20) Insufficiently protected credentials (CVE-ID: CVE-2026-46440)

CWE-ID: CWE-522 - Insufficiently Protected Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain access to the application.

The vulnerability exists due to insufficiently protected credentials in the checkBasicAuth endpoint when handling authentication requests. A remote attacker can send repeated username and password guesses to gain access to the application.

User interaction is required for exploitation.

Remediation

Install update from vendor's website.

References

• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wxrr-jp8m-qq7f
• https://github.com/FlowiseAI/Flowise/pull/6050
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq53-pc65-wjc4
• https://github.com/FlowiseAI/Flowise/commit/840d2ae14d25230579a58aa4305f8506672a0a45
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5h9v-837x-m97r
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7j65-65cr-6644
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-728h-4mwj-f2p4
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-78pr-c5x5-jggc
• https://github.com/FlowiseAI/Flowise/pull/6128
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hmg2-jjjx-jcp2
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7g73-99r4-m4mj
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c2c9-mfw7-p8hw
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9rvc-vf7m-pgm2
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-59fh-9f3p-7m39
• https://github.com/advisories/GHSA-59fh-9f3p-7m39
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6fw7-3q8r-m5vj
• https://github.com/advisories/GHSA-6fw7-3q8r-m5vj
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hp26-q66v-q2w7
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x5v6-pj28-cwwm
• https://github.com/advisories/GHSA-x5v6-pj28-cwwm
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5wxp-qjgq-fx6m
• https://github.com/advisories/GHSA-5wxp-qjgq-fx6m
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m99r-2hxc-cp3q
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m837-xvxr-vqwg
• https://github.com/advisories/GHSA-m837-xvxr-vqwg
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-php6-83fg-gw3g