{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tenant-isolation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FlowiseAI (\u003c= 3.1.1)"],"_cs_severities":["high"],"_cs_tags":["mass assignment","tenant isolation","flowiseai","web application"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI version 3.1.1 and earlier is vulnerable to a mass assignment vulnerability in its assistant update endpoint. This vulnerability allows authenticated users to modify server-controlled properties, including workspaceId, createdDate, and updatedDate. By manipulating these properties, particularly the workspaceId, an attacker can reassign assistants to arbitrary workspaces. This poses a significant risk in multi-tenant deployments where tenant isolation is critical. The vulnerability arises due to missing server-side validation and authorization checks, allowing user-controlled request bodies to override internal, server-controlled properties. This can lead to unauthorized data access and modification across different workspaces.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the FlowiseAI interface with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker captures the HTTP request sent to update an assistant resource using the PUT \u003ccode\u003e/api/v1/assistants/{assistantId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the JSON request body to include the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter, setting it to the target workspace\u0026rsquo;s ID.\u003c/li\u003e\n\u003cli\u003eThe attacker also injects \u003ccode\u003ecreatedDate\u003c/code\u003e and \u003ccode\u003eupdatedDate\u003c/code\u003e parameters to control the assistant\u0026rsquo;s metadata.\u003c/li\u003e\n\u003cli\u003eAttacker sends the modified request to the \u003ccode\u003e/api/v1/assistants/{assistantId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server accepts the attacker-controlled \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e values without proper validation.\u003c/li\u003e\n\u003cli\u003eThe assistant resource is reassigned to the attacker-specified workspace, breaking tenant isolation.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access and manipulate the reassigned assistant within the target workspace, potentially gaining unauthorized access to sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe mass assignment vulnerability in FlowiseAI allows authenticated users to perform unauthorized actions, including cross-workspace reassignment of assistants and modification of metadata. In multi-tenant deployments, this can lead to a complete breakdown of tenant isolation, allowing attackers to access and manipulate resources belonging to other tenants. The confirmed impacts include unauthorized modification of assistant metadata and cross-workspace data access. If successful, this can lead to data breaches, compliance violations, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlowiseAI Assistant WorkspaceId Manipulation\u003c/code\u003e to detect attempts to modify the workspaceId parameter in the \u003ccode\u003e/api/v1/assistants/{assistantId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlowiseAI Assistant Date Field Manipulation\u003c/code\u003e to detect attempts to modify the createdDate or updatedDate parameters in the \u003ccode\u003e/api/v1/assistants/{assistantId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eUpgrade FlowiseAI to a version greater than 3.1.1 to remediate the mass assignment vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:00:09Z","date_published":"2026-05-14T15:00:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-mass-assignment/","summary":"FlowiseAI version 3.1.1 and earlier contains a mass assignment vulnerability in the assistant update endpoint, allowing authenticated users to modify server-controlled properties like workspaceId, createdDate, and updatedDate, enabling cross-workspace reassignment of assistants and breaking tenant isolation in multi-workspace environments.","title":"FlowiseAI Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-mass-assignment/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise \u003c= 3.1.1"],"_cs_severities":["high"],"_cs_tags":["mass assignment","tenant isolation","web application"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI workflows, is vulnerable to a mass assignment flaw (CVE-2026-42861) affecting versions 3.1.1 and earlier.  The vulnerability resides in the \u003ccode\u003e/api/v1/variables/{variableId}\u003c/code\u003e endpoint, which is used for updating variable resources. Due to missing server-side validation, an authenticated attacker can modify critical, server-controlled properties such as \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e. This can lead to unauthorized cross-workspace reassignment of variables, potentially compromising tenant isolation in multi-tenant environments. The issue was reported in May 2026, and defenders need to implement mitigations to prevent unauthorized data access and manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to FlowiseAI with valid user credentials.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a target variable ID within the application they wish to manipulate.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious PUT request to \u003ccode\u003e/api/v1/variables/{variableId}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body includes the \u003ccode\u003eworkspaceId\u003c/code\u003e field, setting it to the ID of a different workspace the attacker wishes to access.\u003c/li\u003e\n\u003cli\u003eThe request body may also include modified \u003ccode\u003ecreatedDate\u003c/code\u003e and \u003ccode\u003eupdatedDate\u003c/code\u003e values for the variable.\u003c/li\u003e\n\u003cli\u003eThe FlowiseAI server, lacking proper validation, accepts the attacker-supplied \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe server updates the variable in the database with the attacker-controlled values, effectively reassigning the variable to the attacker\u0026rsquo;s chosen workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access and potentially manipulate resources within the targeted workspace using the reassigned variable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows authenticated users to manipulate internal variable attributes, potentially leading to cross-workspace reassignment of variables, unauthorized modification of metadata, and tenant isolation bypass in multi-workspace deployments. This can allow an attacker to move variables between workspaces without proper authorization. The vulnerability affects FlowiseAI installations version 3.1.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and authorization checks on the \u003ccode\u003e/api/v1/variables/{variableId}\u003c/code\u003e endpoint to prevent modification of server-controlled properties like \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e as described in CVE-2026-42861.\u003c/li\u003e\n\u003cli\u003eMonitor PUT requests to the \u003ccode\u003e/api/v1/variables/{variableId}\u003c/code\u003e endpoint for attempts to modify the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter to detect potential exploitation attempts. Use the detection rule \u003ccode\u003eDetect FlowiseAI Mass Assignment in Variable Update\u003c/code\u003e to identify anomalous requests.\u003c/li\u003e\n\u003cli\u003eImplement workspace access controls and verify that users can only access variables within their assigned workspace, regardless of the \u003ccode\u003eworkspaceId\u003c/code\u003e attribute.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T14:53:24Z","date_published":"2026-05-14T14:53:24Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowise-mass-assignment/","summary":"FlowiseAI versions 3.1.1 and earlier contain a mass assignment vulnerability in the variable update endpoint allowing authenticated users to modify server-controlled properties like workspaceId, createdDate, and updatedDate, potentially breaking tenant isolation in multi-workspace environments (CVE-2026-42861).","title":"FlowiseAI Mass Assignment Vulnerability in Variable Update Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-05-flowise-mass-assignment/"}],"language":"en","title":"CraftedSignal Threat Feed — Tenant Isolation","version":"https://jsonfeed.org/version/1.1"}