Improperly Controlled Modification of Dynamically-Determined Object Attributes in Flowise - CVE-2026-46477
Published: May 18, 2026
Vulnerability identifier: #VU131695
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-46477
CWE-ID: CWE-915
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to modify dataset ownership across workspaces and disclose or alter dataset contents.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the dataset service when handling create or update requests. A remote user can send a crafted request containing a workspaceId value to modify dataset ownership across workspaces and disclose or alter dataset contents.
Exploitation requires an authenticated session with permission to update the source dataset, and target workspace identifiers can be obtained from API responses.
How to mitigate CVE-2026-46477
Install security update from vendor's website.