Flowise, a drag-and-drop interface for building customized large language model flows, had a vulnerability (CWE-915) in versions before 3.1.2. The CustomTemplate create and update operations allowed mass-assignment of attributes without proper control, enabling an attacker with some privileges to take over templates across different workspaces. This could lead to unauthorized modification or control of templates beyond the attacker's workspace boundaries. The vulnerability is addressed by an official patch in version 3.1.2.

An attacker with limited privileges could exploit this vulnerability to perform cross-workspace template takeover, potentially modifying or controlling templates in other users' workspaces. This could lead to unauthorized changes in the behavior of large language model flows built using Flowise, impacting confidentiality and integrity within the affected environment.

Upgrade Flowise to version 3.1.2 or later, where this vulnerability has been patched. Since the vendor has released an official fix, applying this update is the recommended remediation. No additional mitigation steps are indicated by the vendor advisory.