Improperly Controlled Modification of Dynamically-Determined Object Attributes in Flowise - #VU131703
Published: May 18, 2026
Vulnerability identifier: #VU131703
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-915
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to modify restricted user fields and bypass password change verification.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the PUT /api/v1/user endpoint when handling authenticated profile update requests. A remote user can send a crafted request body containing a credential value to modify restricted user fields and bypass password change verification.
The issue is limited to modification of the authenticated user's own account because the controller checks that the supplied id matches the current user.
Remediation
Install security update from vendor's website.