Improperly Controlled Modification of Dynamically-Determined Object Attributes in Flowise - CVE-2026-46480
Published: May 18, 2026
Vulnerability identifier: #VU131693
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-46480
CWE-ID: CWE-915
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to modify evaluator ownership across workspaces and take over evaluator data.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the Evaluator controller/service when handling create and update requests. A remote user can send a crafted request with a modified workspaceId value to modify evaluator ownership across workspaces and take over evaluator data.
Exploitation requires an authenticated session with permission to update the source evaluator, and target workspace identifiers can be obtained from API responses.
How to mitigate CVE-2026-46480
Install security update from vendor's website.