Improperly Controlled Modification of Dynamically-Determined Object Attributes in Flowise - CVE-2026-46476
Published: May 18, 2026
Vulnerability identifier: #VU131697
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-46476
CWE-ID: CWE-915
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to modify custom templates across workspace boundaries.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the CustomTemplate create and update logic in packages/server/src/services/marketplaces/index.ts when handling crafted API requests. A remote user can send a crafted request with a user-controlled workspaceId to modify custom templates across workspace boundaries.
Exploitation requires an authenticated session with permission to update the source custom template, and target workspace identifiers can be obtained from API responses.
How to mitigate CVE-2026-46476
Install security update from vendor's website.