Main Vulnerability Database Vulnerabilities #VU131696

Improperly Controlled Modification of Dynamically-Determined Object Attributes in Flowise - CVE-2026-46478

Published: May 18, 2026

Vulnerability identifier: #VU131696

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-46478

CWE-ID: CWE-915

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote user to modify dataset rows across workspace boundaries and disclose sensitive information.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the DatasetRow create and update service in packages/server/src/services/dataset/index.ts when handling crafted API requests that mass-assign request body fields onto DatasetRow entities. A remote user can send a specially crafted request with a client-controlled workspaceId or datasetId to modify dataset rows across workspace boundaries and disclose sensitive information.

Exploitation requires an authenticated session with permission to edit the source dataset row, and workspace identifiers can be obtained from API responses.

How to mitigate CVE-2026-46478

Install security update from vendor's website.

Improperly Controlled Modification of Dynamically-Determined Object Attributes in Flowise - CVE-2026-46478

Detailed vulnerability description

How to mitigate CVE-2026-46478

Sources

Please verify you're human