Improperly Controlled Modification of Dynamically-Determined Object Attributes in Flowise - CVE-2026-46475
Published: May 18, 2026
Vulnerability identifier: #VU131698
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-46475
CWE-ID: CWE-915
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to take over assistants across workspaces.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the assistants service when handling create and update requests. A remote user can send a crafted request with a modified workspaceId value to take over assistants across workspaces.
Exploitation requires an authenticated session with permission to update the source assistant, and target workspace identifiers can be enumerated from API responses.
How to mitigate CVE-2026-46475
Install security update from vendor's website.