CVE-2026-30822 is a vulnerability identified in FlowiseAI's Flowise product, a drag-and-drop interface for building customized large language model workflows. The flaw exists in versions prior to 3.0.13 and stems from improper control over dynamically-determined object attributes (CWE-915). Specifically, unauthenticated users can inject arbitrary values into internal database fields during the creation of leads. This injection occurs because the application fails to properly validate or restrict modifications to these attributes, allowing attackers to manipulate internal data structures. The vulnerability is remotely exploitable without authentication or user interaction but requires high attack complexity, indicating some non-trivial conditions must be met. The CVSS v3.0 score is 7.7 (high), reflecting the significant confidentiality and integrity impacts, with limited availability impact. Although no known exploits have been reported in the wild, the vulnerability poses a serious risk of unauthorized data manipulation, potentially leading to data corruption, privilege escalation, or unauthorized access within the application environment. The issue was addressed and patched in Flowise version 3.0.13.

The vulnerability allows unauthenticated attackers to inject arbitrary data into internal database fields, compromising the confidentiality and integrity of the affected system. This can lead to unauthorized data manipulation, corruption of lead information, or potentially unauthorized access if the injected data influences application logic or permissions. The limited impact on availability suggests the system remains operational but with compromised data trustworthiness. Organizations relying on Flowise for AI workflow management may face risks including data breaches, loss of data integrity, and potential downstream effects on AI model outputs or business processes. The absence of required authentication and user interaction increases the attack surface, making remote exploitation feasible. Although no active exploitation is currently known, the high severity and ease of remote access make timely remediation critical to prevent future attacks.

1. Upgrade all Flowise installations to version 3.0.13 or later immediately to apply the official patch addressing this vulnerability. 2. Implement strict input validation and sanitization on all user-supplied data, especially for fields that map to internal database attributes. 3. Enforce least privilege principles on database access to limit the impact of any injected data. 4. Monitor application logs for unusual lead creation activities or anomalous data entries that could indicate exploitation attempts. 5. Conduct regular security audits and code reviews focusing on dynamic attribute handling and database interactions. 6. Consider implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting lead creation endpoints. 7. Educate development and operations teams about CWE-915 risks and secure coding practices to prevent similar issues in future releases.