{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/flowiseai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise (\u003c= 3.1.1)","FlowiseAI"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","cross-workspace","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code/no-code platform for building AI orchestration flows, is susceptible to a mass assignment vulnerability in versions 3.1.1 and earlier. The vulnerability resides within the Evaluation controller/service (\u003ccode\u003epackages/server/src/services/evaluations/index.ts\u003c/code\u003e). By exploiting this flaw, an authenticated user can manipulate the \u003ccode\u003eworkspaceId\u003c/code\u003e of an Evaluation entity. This manipulation is possible due to the use of \u003ccode\u003eObject.assign(entity, body)\u003c/code\u003e without proper input validation, allowing an attacker to inject arbitrary \u003ccode\u003eworkspaceId\u003c/code\u003e values into the request body. The vulnerability poses a significant risk as it enables cross-workspace data access and manipulation, potentially exposing sensitive information to unauthorized users. The root cause is similar to a previously patched vulnerability in \u003ccode\u003eDocumentStore\u003c/code\u003e (commit 840d2ae), indicating a pattern of insecure object assignment within the codebase.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to FlowiseAI as a member of workspace A, obtaining a valid session cookie or JWT.\u003c/li\u003e\n\u003cli\u003eAttacker identifies or creates an Evaluation entity within workspace A, noting its unique \u003ccode\u003eid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker obtains the \u003ccode\u003eworkspaceId\u003c/code\u003e of a target workspace B, potentially through API enumeration (e.g., \u003ccode\u003e/api/v1/workspaces\u003c/code\u003e) or by inspecting other entities\u0026rsquo; \u003ccode\u003eworkspaceId\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/v1/evaluations/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint, using the \u003ccode\u003eid\u003c/code\u003e of the Evaluation entity from workspace A.\u003c/li\u003e\n\u003cli\u003eThe request body includes a JSON payload with the \u003ccode\u003e\u0026quot;workspaceId\u0026quot;\u003c/code\u003e field set to the \u003ccode\u003eworkspaceId\u003c/code\u003e of workspace B.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s Evaluation controller receives the request and uses \u003ccode\u003eObject.assign(updateEntity, body)\u003c/code\u003e to update the Evaluation entity. The attacker-controlled \u003ccode\u003eworkspaceId\u003c/code\u003e overwrites the existing value.\u003c/li\u003e\n\u003cli\u003eThe persistence layer commits the changes to the database, associating the Evaluation entity with workspace B.\u003c/li\u003e\n\u003cli\u003eThe Evaluation entity is now accessible to members of workspace B and inaccessible to members of workspace A, resulting in unauthorized data access and potential modification.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows any authenticated user to move Evaluation entities between workspaces. This cross-workspace boundary violation allows an attacker to access and potentially modify evaluation runs, including captured prompts, model outputs, and scoring data, belonging to other workspaces. Successful exploitation leads to a high level of data exposure, as the attacker can exfiltrate or manipulate data that should be isolated to specific workspaces. The vulnerability affects FlowiseAI versions up to and including 3.1.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlowiseAI to the latest version, which includes the fix from PR \u003ca href=\"https://github.com/FlowiseAI/Flowise/pull/6050\"\u003ehttps://github.com/FlowiseAI/Flowise/pull/6050\u003c/a\u003e that implements an allowlist pattern for updating Evaluation entities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlowiseAI Evaluation WorkspaceId Manipulation\u003c/code\u003e to identify potential exploitation attempts by monitoring PUT requests to the \u003ccode\u003e/api/v1/evaluations/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint with modified \u003ccode\u003eworkspaceId\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eImplement regression tests, as suggested in the source, to ensure that future code changes do not reintroduce the mass assignment vulnerability.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional input validation on API endpoints to prevent similar mass assignment vulnerabilities in other parts of the application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:23:48Z","date_published":"2026-05-14T16:23:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-evaluation-takeover/","summary":"FlowiseAI is vulnerable to a mass assignment vulnerability (fixed in PR 6050) that allows authenticated users to move Evaluation entities between workspaces by overwriting the `workspaceId` field via API request, leading to unauthorized data access.","title":"FlowiseAI Evaluation Cross-Workspace Data Takeover via Mass Assignment","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-evaluation-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise \u003c= 3.1.1","FlowiseAI"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","idor","privilege-escalation","cloud"],"_cs_type":"threat","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI versions 3.1.1 and earlier are susceptible to a mass assignment vulnerability within the Evaluator entity. This flaw arises from the Evaluator controller/service\u0026rsquo;s use of \u003ccode\u003eObject.assign(entity, body)\u003c/code\u003e without proper input validation, allowing client-controlled parameters such as \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e to be injected via API requests. An attacker, authenticated within one workspace, can leverage this vulnerability to move Evaluator entities—and potentially sensitive scoring rubrics—to other workspaces. This can result in unauthorized access to data, privilege escalation, and a loss of data ownership. This issue is similar to a previously patched vulnerability in the \u003ccode\u003eDocumentStore\u003c/code\u003e (commit 840d2ae), indicating a systemic pattern of insecure object assignment within the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the FlowiseAI web UI as a member of workspace A, obtaining a valid session cookie or JWT.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or identifies an existing Evaluator entity within workspace A.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/v1/evaluators/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint (or equivalent) targeting the Evaluator entity identified in the previous step.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a JSON body within the \u003ccode\u003ePUT\u003c/code\u003e request, specifically setting the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter to the UUID of a different workspace (workspace B).\u003c/li\u003e\n\u003cli\u003eThe FlowiseAI server receives the request and, due to the mass assignment vulnerability, uses \u003ccode\u003eObject.assign(updateEntity, body)\u003c/code\u003e to update the Evaluator entity, overwriting its \u003ccode\u003eworkspaceId\u003c/code\u003e with the attacker-supplied value.\u003c/li\u003e\n\u003cli\u003eThe persistence layer commits the changes to the database, effectively transferring ownership of the Evaluator entity to workspace B.\u003c/li\u003e\n\u003cli\u003eMembers of workspace B can now access, modify, and utilize the transferred Evaluator entity.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s workspace A loses access to the Evaluator, and no suspicious activity is logged in workspace A\u0026rsquo;s audit logs, masking the malicious action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any authenticated user with permission to update an evaluator to move it to any workspace. The impact of a successful attack includes unauthorized access to evaluators and their scoring rubrics by members of the target workspace, data exfiltration, and potential privilege escalation. An attacker can enumerate workspace UUIDs via the \u003ccode\u003e/api/v1/workspaces\u003c/code\u003e API listing or through other API responses, making it trivial to identify valid target workspaces.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlowiseAI to version 3.1.2 or later, where the fix from pull request #6050 has been applied.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect FlowiseAI Evaluator WorkspaceId Manipulation via API\u0026rdquo; to identify attempts to exploit this vulnerability by monitoring API requests that modify the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement regression tests to verify that attempts to modify \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, or \u003ccode\u003eupdatedDate\u003c/code\u003e via API requests are rejected or ignored by the server.\u003c/li\u003e\n\u003cli\u003eApply the allowlist pattern to all controllers that handle entity updates to prevent similar mass assignment vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:23:34Z","date_published":"2026-05-14T16:23:34Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-evaluator-takeover/","summary":"FlowiseAI is vulnerable to a mass assignment vulnerability in the Evaluator controller/service, where an attacker can manipulate the `workspaceId` during evaluator creation or updates, leading to cross-workspace data takeover and IDOR.","title":"FlowiseAI Evaluator Cross-Workspace Takeover via Mass Assignment","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-evaluator-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — FlowiseAI","version":"https://jsonfeed.org/version/1.1"}