FlowiseAI's Flowise, a drag-and-drop interface for building customized large language model flows, contained a vulnerability (CWE-915) before version 3.1.2. The vulnerability allowed improper mass-assignment during evaluation create and update operations, which could be exploited to take over evaluations across different workspaces. This security flaw was fixed in version 3.1.2. The CVSS 4.0 score is 7.7, indicating a high severity with network attack vector, low attack complexity, and partial privileges required.

Successful exploitation of this vulnerability could allow an attacker with limited privileges to perform cross-workspace evaluation takeover, potentially leading to unauthorized modification or control of evaluation objects in other workspaces. This could impact the integrity and confidentiality of data and operations within Flowise environments running affected versions.

Upgrade Flowise to version 3.1.2 or later, where this vulnerability has been patched. Since the vendor advisory confirms the fix in version 3.1.2, applying this official update is the recommended remediation. No additional mitigation guidance is provided or required beyond applying the patch.