CVE-2026-41277: CWE-284: Improper Access Control in FlowiseAI Flowise
CVE-2026-41277 is a high-severity improper access control vulnerability in Flowise versions prior to 3. 1. 0. It arises from a Mass Assignment issue in the DocumentStore creation endpoint, allowing authenticated users to control primary key and internal state fields. This causes the create endpoint to behave as an implicit UPSERT, enabling overwriting of existing DocumentStore objects. In multi-workspace or multi-tenant environments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR). The vulnerability is fixed in Flowise version 3. 1. 0.
AI Analysis
Technical Summary
FlowiseAI's Flowise product before version 3.1.0 contains a Mass Assignment vulnerability in the DocumentStore creation POST endpoint. Authenticated users can supply the primary key (id) and internal state fields, which the service uses directly in repository.save(), causing the endpoint to perform an implicit UPSERT operation. This allows overwriting existing DocumentStore entities. In deployments supporting multiple workspaces or tenants, this flaw enables attackers to take over or modify DocumentStore objects belonging to other workspaces, resulting in broken object-level authorization (IDOR). The issue is addressed in version 3.1.0.
Potential Impact
The vulnerability allows authenticated users to overwrite DocumentStore objects, potentially leading to unauthorized modification or takeover of data across different workspaces or tenants. This breaks object-level authorization controls and can compromise data integrity and confidentiality within multi-tenant deployments. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Flowise version 3.1.0. Users should upgrade to version 3.1.0 or later to remediate this issue. Patch status is not explicitly stated beyond this fix version, so verifying the upgrade and consulting the vendor's official advisory is recommended.
CVE-2026-41277: CWE-284: Improper Access Control in FlowiseAI Flowise
Description
CVE-2026-41277 is a high-severity improper access control vulnerability in Flowise versions prior to 3. 1. 0. It arises from a Mass Assignment issue in the DocumentStore creation endpoint, allowing authenticated users to control primary key and internal state fields. This causes the create endpoint to behave as an implicit UPSERT, enabling overwriting of existing DocumentStore objects. In multi-workspace or multi-tenant environments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR). The vulnerability is fixed in Flowise version 3. 1. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FlowiseAI's Flowise product before version 3.1.0 contains a Mass Assignment vulnerability in the DocumentStore creation POST endpoint. Authenticated users can supply the primary key (id) and internal state fields, which the service uses directly in repository.save(), causing the endpoint to perform an implicit UPSERT operation. This allows overwriting existing DocumentStore entities. In deployments supporting multiple workspaces or tenants, this flaw enables attackers to take over or modify DocumentStore objects belonging to other workspaces, resulting in broken object-level authorization (IDOR). The issue is addressed in version 3.1.0.
Potential Impact
The vulnerability allows authenticated users to overwrite DocumentStore objects, potentially leading to unauthorized modification or takeover of data across different workspaces or tenants. This breaks object-level authorization controls and can compromise data integrity and confidentiality within multi-tenant deployments. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Flowise version 3.1.0. Users should upgrade to version 3.1.0 or later to remediate this issue. Patch status is not explicitly stated beyond this fix version, so verifying the upgrade and consulting the vendor's official advisory is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T14:01:46.802Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ea9e7887115cfb686fc38c
Added to database: 4/23/2026, 10:34:32 PM
Last enriched: 4/23/2026, 11:21:58 PM
Last updated: 4/24/2026, 6:10:57 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.