CVE-2026-46480: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes in FlowiseAI Flowise
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.
AI Analysis
Technical Summary
CVE-2026-46480 is a CWE-915 vulnerability in FlowiseAI's Flowise product, a drag-and-drop interface for building customized large language model flows. The issue arises from improper control over modification of dynamically-determined object attributes during evaluator creation and update operations, enabling mass-assignment attacks that allow an attacker with limited privileges to take over evaluators across different workspaces. This vulnerability affects all versions prior to 3.1.2 and has been fixed in version 3.1.2. The CVSS 4.0 base score is 7.7, indicating a high severity with network attack vector, low attack complexity, and requiring privileges but no user interaction.
Potential Impact
Successful exploitation of this vulnerability allows an attacker with some privileges to perform mass-assignment on evaluator objects, resulting in cross-workspace evaluator takeover. This could lead to unauthorized control or manipulation of evaluators in other workspaces, potentially compromising data integrity or confidentiality within those workspaces.
Mitigation Recommendations
Upgrade Flowise to version 3.1.2 or later, where this vulnerability has been patched. There is no indication of alternative mitigations or temporary workarounds. Users should verify they are not running affected versions and apply the official update promptly.
CVE-2026-46480: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes in FlowiseAI Flowise
Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.
CVSS v4.0
Score 7.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46480 is a CWE-915 vulnerability in FlowiseAI's Flowise product, a drag-and-drop interface for building customized large language model flows. The issue arises from improper control over modification of dynamically-determined object attributes during evaluator creation and update operations, enabling mass-assignment attacks that allow an attacker with limited privileges to take over evaluators across different workspaces. This vulnerability affects all versions prior to 3.1.2 and has been fixed in version 3.1.2. The CVSS 4.0 base score is 7.7, indicating a high severity with network attack vector, low attack complexity, and requiring privileges but no user interaction.
Potential Impact
Successful exploitation of this vulnerability allows an attacker with some privileges to perform mass-assignment on evaluator objects, resulting in cross-workspace evaluator takeover. This could lead to unauthorized control or manipulation of evaluators in other workspaces, potentially compromising data integrity or confidentiality within those workspaces.
Mitigation Recommendations
Upgrade Flowise to version 3.1.2 or later, where this vulnerability has been patched. There is no indication of alternative mitigations or temporary workarounds. Users should verify they are not running affected versions and apply the official update promptly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-14T18:06:06.810Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a26e46de29bf47b501e5311
Added to database: 6/8/2026, 3:49:01 PM
Last enriched: 6/8/2026, 4:03:33 PM
Last updated: 6/9/2026, 4:58:26 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.