Improperly Controlled Modification of Dynamically-Determined Object Attributes in Flowise - CVE-2026-46479
Published: May 18, 2026
Vulnerability identifier: #VU131694
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-46479
CWE-ID: CWE-915
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to modify evaluation ownership across workspaces and disclose or alter evaluation data.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in packages/server/src/services/evaluations/index.ts when handling create or update requests for Evaluation entities. A remote user can send a crafted request containing a manipulated workspaceId to modify evaluation ownership across workspaces and disclose or alter evaluation data.
Exploitation requires an authenticated session with permission to update the source evaluation, and workspace identifiers can be obtained from API responses.
How to mitigate CVE-2026-46479
Install security update from vendor's website.