CVE-2026-42863— Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42863
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment
Source: NVD (National Vulnerability Database)
Vulnerability Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings. This issue has been patched in version 3.1.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Flowise 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.1.2之前版本存在访问控制错误漏洞,该漏洞源于聊天流更新端点缺少服务器端验证和授权检查,可能导致批量赋值漏洞,允许经过身份验证的用户操纵聊天流的内部属性并将其重新分配到另一个工作区,导致跨工作区资源重新分配以及部署和可见性设置的未授权修改。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42863
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42863
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-42863 (1)
Vendor Pages for CVE-2026-42863 (1)
Same Patch Batch · FlowiseAI · 2026-06-08 · 14 CVEs total
| CVE-2026-42862 | Flowise: Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignm | |
| CVE-2026-42861 | Flowise: Mass Assignment in Variable Update Endpoint Allows Cross-Workspace Resource Reass | |
| CVE-2026-46476 | Flowise: CustomTemplate create+update mass-assignment allows cross-workspace template take | |
| CVE-2026-46479 | Flowise: Evaluation create+update mass-assignment allows cross-workspace evaluation takeov | |
| CVE-2026-46475 | Flowise: Assistant create+update mass-assignment allows cross-workspace assistant takeover | |
| CVE-2026-46444 | Flowise: Vector Store No Permission Checks | |
| CVE-2026-46478 | Flowise: DatasetRow create+update mass-assignment allows cross-workspace row takeover | |
| CVE-2026-46442 | Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox E | |
| CVE-2026-46477 | Flowise: Dataset create+update mass-assignment allows cross-workspace dataset takeover | |
| CVE-2026-46480 | Flowise: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover | |
| CVE-2026-46440 | Flowise: Basic Auth Credentials Exposed via API | |
| CVE-2026-46443 | Flowise: Credential Data Leak | |
| CVE-2026-46441 | Flowise: Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reas |
IV. Related Vulnerabilities
Same product: Flowise
- CVE-2026-46480
Flowise: Evaluator create+update mass-assignment allows cros - CVE-2026-46479
Flowise: Evaluation create+update mass-assignment allows cro - CVE-2026-46478
Flowise: DatasetRow create+update mass-assignment allows cro - CVE-2026-46477
Flowise: Dataset create+update mass-assignment allows cross- - CVE-2026-46476
Flowise: CustomTemplate create+update mass-assignment allows
Same vendor: FlowiseAI
- CVE-2026-46480
Flowise: Evaluator create+update mass-assignment allows cros - CVE-2026-46479
Flowise: Evaluation create+update mass-assignment allows cro - CVE-2026-46478
Flowise: DatasetRow create+update mass-assignment allows cro - CVE-2026-46477
Flowise: Dataset create+update mass-assignment allows cross- - CVE-2026-46476
Flowise: CustomTemplate create+update mass-assignment allows
Same weakness: CWE-284
- CVE-2026-48908
Joomla Extension - joomshaper.com - Remote Code Execution in - CVE-2026-48939
Joomla Extension - icagenda.com - Remote Code Execution in i - CVE-2026-56082
Capgo - Unauthenticated Cross-Tenant Billing Log Tampering v - CVE-2026-4027
FlexNet Manager Suite Attachment File Disclosure - CVE-2026-4026
FlexNet Manager Suite Privilege Escalation Vulnerability
V. Comments for CVE-2026-42863
No comments yet