FlowiseAI (<= 3.1.1) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/flowiseai--3.1.1/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 15:00:09 +0000FlowiseAI Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignmenthttps://feed.craftedsignal.io/briefs/2026-05-flowiseai-mass-assignment/Thu, 14 May 2026 15:00:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-flowiseai-mass-assignment/FlowiseAI version 3.1.1 and earlier contains a mass assignment vulnerability in the assistant update endpoint, allowing authenticated users to modify server-controlled properties like workspaceId, createdDate, and updatedDate, enabling cross-workspace reassignment of assistants and breaking tenant isolation in multi-workspace environments.FlowiseAI version 3.1.1 and earlier is vulnerable to a mass assignment vulnerability in its assistant update endpoint. This vulnerability allows authenticated users to modify server-controlled properties, including workspaceId, createdDate, and updatedDate. By manipulating these properties, particularly the workspaceId, an attacker can reassign assistants to arbitrary workspaces. This poses a significant risk in multi-tenant deployments where tenant isolation is critical. The vulnerability arises due to missing server-side validation and authorization checks, allowing user-controlled request bodies to override internal, server-controlled properties. This can lead to unauthorized data access and modification across different workspaces.

Attack Chain

  1. Attacker authenticates to the FlowiseAI interface with valid credentials.
  2. Attacker captures the HTTP request sent to update an assistant resource using the PUT /api/v1/assistants/{assistantId} endpoint.
  3. Attacker modifies the JSON request body to include the workspaceId parameter, setting it to the target workspace’s ID.
  4. The attacker also injects createdDate and updatedDate parameters to control the assistant’s metadata.
  5. Attacker sends the modified request to the /api/v1/assistants/{assistantId} endpoint.
  6. The server accepts the attacker-controlled workspaceId, createdDate, and updatedDate values without proper validation.
  7. The assistant resource is reassigned to the attacker-specified workspace, breaking tenant isolation.
  8. The attacker can now access and manipulate the reassigned assistant within the target workspace, potentially gaining unauthorized access to sensitive data.

Impact

The mass assignment vulnerability in FlowiseAI allows authenticated users to perform unauthorized actions, including cross-workspace reassignment of assistants and modification of metadata. In multi-tenant deployments, this can lead to a complete breakdown of tenant isolation, allowing attackers to access and manipulate resources belonging to other tenants. The confirmed impacts include unauthorized modification of assistant metadata and cross-workspace data access. If successful, this can lead to data breaches, compliance violations, and reputational damage.

Recommendation

  • Deploy the Sigma rule Detect FlowiseAI Assistant WorkspaceId Manipulation to detect attempts to modify the workspaceId parameter in the /api/v1/assistants/{assistantId} endpoint.
  • Deploy the Sigma rule Detect FlowiseAI Assistant Date Field Manipulation to detect attempts to modify the createdDate or updatedDate parameters in the /api/v1/assistants/{assistantId} endpoint.
  • Upgrade FlowiseAI to a version greater than 3.1.1 to remediate the mass assignment vulnerability.
]]>highadvisorymass assignmenttenant isolationflowiseaiweb application