Tenant Isolation — CraftedSignal Threat Feed

FlowiseAI Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment

hello@craftedsignal.io — Thu, 14 May 2026 15:00:09 +0000

FlowiseAI version 3.1.1 and earlier is vulnerable to a mass assignment vulnerability in its assistant update endpoint. This vulnerability allows authenticated users to modify server-controlled properties, including workspaceId, createdDate, and updatedDate. By manipulating these properties, particularly the workspaceId, an attacker can reassign assistants to arbitrary workspaces. This poses a significant risk in multi-tenant deployments where tenant isolation is critical. The vulnerability arises due to missing server-side validation and authorization checks, allowing user-controlled request bodies to override internal, server-controlled properties. This can lead to unauthorized data access and modification across different workspaces.

Attack Chain

Attacker authenticates to the FlowiseAI interface with valid credentials.
Attacker captures the HTTP request sent to update an assistant resource using the PUT /api/v1/assistants/{assistantId} endpoint.
Attacker modifies the JSON request body to include the workspaceId parameter, setting it to the target workspace’s ID.
The attacker also injects createdDate and updatedDate parameters to control the assistant’s metadata.
Attacker sends the modified request to the /api/v1/assistants/{assistantId} endpoint.
The server accepts the attacker-controlled workspaceId, createdDate, and updatedDate values without proper validation.
The assistant resource is reassigned to the attacker-specified workspace, breaking tenant isolation.
The attacker can now access and manipulate the reassigned assistant within the target workspace, potentially gaining unauthorized access to sensitive data.

Impact

The mass assignment vulnerability in FlowiseAI allows authenticated users to perform unauthorized actions, including cross-workspace reassignment of assistants and modification of metadata. In multi-tenant deployments, this can lead to a complete breakdown of tenant isolation, allowing attackers to access and manipulate resources belonging to other tenants. The confirmed impacts include unauthorized modification of assistant metadata and cross-workspace data access. If successful, this can lead to data breaches, compliance violations, and reputational damage.

Recommendation

Deploy the Sigma rule Detect FlowiseAI Assistant WorkspaceId Manipulation to detect attempts to modify the workspaceId parameter in the /api/v1/assistants/{assistantId} endpoint.
Deploy the Sigma rule Detect FlowiseAI Assistant Date Field Manipulation to detect attempts to modify the createdDate or updatedDate parameters in the /api/v1/assistants/{assistantId} endpoint.
Upgrade FlowiseAI to a version greater than 3.1.1 to remediate the mass assignment vulnerability.

FlowiseAI Mass Assignment Vulnerability in Variable Update Endpoint

hello@craftedsignal.io — Thu, 14 May 2026 14:53:24 +0000

FlowiseAI, a low-code platform for building AI workflows, is vulnerable to a mass assignment flaw (CVE-2026-42861) affecting versions 3.1.1 and earlier. The vulnerability resides in the /api/v1/variables/{variableId} endpoint, which is used for updating variable resources. Due to missing server-side validation, an authenticated attacker can modify critical, server-controlled properties such as workspaceId, createdDate, and updatedDate. This can lead to unauthorized cross-workspace reassignment of variables, potentially compromising tenant isolation in multi-tenant environments. The issue was reported in May 2026, and defenders need to implement mitigations to prevent unauthorized data access and manipulation.

Attack Chain

Attacker authenticates to FlowiseAI with valid user credentials.
Attacker identifies a target variable ID within the application they wish to manipulate.
Attacker crafts a malicious PUT request to /api/v1/variables/{variableId}.
The request body includes the workspaceId field, setting it to the ID of a different workspace the attacker wishes to access.
The request body may also include modified createdDate and updatedDate values for the variable.
The FlowiseAI server, lacking proper validation, accepts the attacker-supplied workspaceId, createdDate, and updatedDate values.
The server updates the variable in the database with the attacker-controlled values, effectively reassigning the variable to the attacker’s chosen workspace.
The attacker can now access and potentially manipulate resources within the targeted workspace using the reassigned variable.

Impact

Successful exploitation allows authenticated users to manipulate internal variable attributes, potentially leading to cross-workspace reassignment of variables, unauthorized modification of metadata, and tenant isolation bypass in multi-workspace deployments. This can allow an attacker to move variables between workspaces without proper authorization. The vulnerability affects FlowiseAI installations version 3.1.1 and earlier.

Recommendation

Apply input validation and authorization checks on the /api/v1/variables/{variableId} endpoint to prevent modification of server-controlled properties like workspaceId, createdDate, and updatedDate as described in CVE-2026-42861.
Monitor PUT requests to the /api/v1/variables/{variableId} endpoint for attempts to modify the workspaceId parameter to detect potential exploitation attempts. Use the detection rule Detect FlowiseAI Mass Assignment in Variable Update to identify anomalous requests.
Implement workspace access controls and verify that users can only access variables within their assigned workspace, regardless of the workspaceId attribute.