{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/flowiseai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise (\u003c= 3.1.1)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","missing-authentication","crud"],"_cs_type":"threat","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI versions up to and including 3.1.1 are vulnerable to a critical privilege escalation issue affecting the OpenAI Assistants Vector Store. The vulnerability stems from a lack of authentication middleware and permission checks on the Create, Read, Update, and Delete (CRUD) endpoints for the vector store. Specifically, the \u003ccode\u003e/api/v1/openai-assistants-vector-store\u003c/code\u003e route, while requiring API key authentication, does not enforce any permission checks on operations. This oversight allows any authenticated user, regardless of their assigned role or permissions, to perform unrestricted actions on the vector store, including creating new stores, uploading files, deleting stores and files, and modifying existing stores.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the FlowiseAI instance using a valid API key.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/v1/openai-assistants-vector-store\u003c/code\u003e to create a new vector store.\u003c/li\u003e\n\u003cli\u003eThe application, lacking permission checks, creates the new vector store without validating the user\u0026rsquo;s privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/v1/openai-assistants-vector-store/{id}\u003c/code\u003e to upload malicious files to the created vector store, exploiting the missing checks on file upload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a PUT request to \u003ccode\u003e/api/v1/openai-assistants-vector-store/{id}\u003c/code\u003e to modify the vector store\u0026rsquo;s configuration or data.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends a DELETE request to \u003ccode\u003e/api/v1/openai-assistants-vector-store/{id}\u003c/code\u003e to delete vector stores and associated files.\u003c/li\u003e\n\u003cli\u003eThe application executes the requested operation without proper authorization validation, leading to data manipulation or deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any authenticated user to manipulate OpenAI vector stores within FlowiseAI. This can lead to the upload of malicious files, unauthorized deletion of sensitive data, exfiltration of stored documents, or modification of vector store configurations. This privilege escalation could allow an attacker to compromise the integrity and confidentiality of data stored within FlowiseAI.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect unauthorized creation of vector stores via the \u003ccode\u003e/api/v1/openai-assistants-vector-store\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect unauthorized deletion of vector stores and files via the \u003ccode\u003e/api/v1/openai-assistants-vector-store/{id}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eUpgrade FlowiseAI to a patched version greater than 3.1.1 to remediate the missing authentication and permission checks.\u003c/li\u003e\n\u003cli\u003eImplement robust access control mechanisms and permission validation on all API endpoints to prevent unauthorized data manipulation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:24:56Z","date_published":"2026-05-14T16:24:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-vector-store-no-auth/","summary":"FlowiseAI versions 3.1.1 and earlier are vulnerable to a privilege escalation due to missing authentication and permission checks on the OpenAI Assistants Vector Store CRUD endpoints, allowing any authenticated user to create, modify, upload files to, and delete vector stores and files, regardless of their assigned permissions.","title":"FlowiseAI OpenAI Assistants Vector Store Missing Authentication","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-vector-store-no-auth/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise \u003c= 3.1.1"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","cross-workspace","flowiseai"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI versions 3.1.1 and earlier are vulnerable to a mass assignment vulnerability in the Assistant controller located in \u003ccode\u003epackages/server/src/services/assistants/index.ts\u003c/code\u003e. An authenticated user can exploit this vulnerability to move an assistant, including its configuration, instructions, attached tools, and credentials, from one workspace to another. The vulnerability stems from the use of \u003ccode\u003eObject.assign(entity, body)\u003c/code\u003e without proper input validation, allowing a malicious actor to overwrite the \u003ccode\u003eworkspaceId\u003c/code\u003e and \u003ccode\u003eid\u003c/code\u003e attributes of the Assistant entity. This issue is similar to a previously patched vulnerability in the \u003ccode\u003eDocumentStore\u003c/code\u003e (commit 840d2ae), highlighting a pattern of insecure mass assignment within the application. This vulnerability can lead to cross-workspace data access and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to FlowiseAI as a member of workspace A, obtaining a valid session cookie or JWT.\u003c/li\u003e\n\u003cli\u003eThe attacker creates (or reuses) an existing assistant within workspace A and notes the assistant\u0026rsquo;s \u003ccode\u003eid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/v1/assistants/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePUT\u003c/code\u003e request includes a JSON body containing a \u003ccode\u003eworkspaceId\u003c/code\u003e attribute set to the UUID of workspace B (the target workspace).\u003c/li\u003e\n\u003cli\u003eThe FlowiseAI server receives the request and calls \u003ccode\u003eObject.assign(updateEntity, body)\u003c/code\u003e within the Assistant controller.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eworkspaceId\u003c/code\u003e in the request body overwrites the existing \u003ccode\u003eworkspaceId\u003c/code\u003e of the assistant entity.\u003c/li\u003e\n\u003cli\u003eThe persistence layer updates the assistant record in the database, associating it with workspace B.\u003c/li\u003e\n\u003cli\u003eThe assistant is now accessible to members of workspace B, and the attacker in workspace A loses access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any authenticated user with permission to update an assistant to move it to another workspace, violating workspace isolation. Given that workspace UUIDs are easily enumerated via the API, an attacker can readily target specific workspaces. Successfully moving an assistant grants the destination workspace access to the assistant\u0026rsquo;s configuration, instructions, attached tools, and credentials, potentially leading to unauthorized access to sensitive data and resources. This issue is classified as high severity because it breaks a fundamental security boundary within the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlowiseAI to a version higher than 3.1.1 to incorporate the fix described in PR \u003ca href=\"https://github.com/FlowiseAI/Flowise/pull/6128\"\u003ehttps://github.com/FlowiseAI/Flowise/pull/6128\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlowiseAI WorkspaceId Mass Assignment\u003c/code\u003e to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement regression tests as described in the advisory to prevent future occurrences of this type of vulnerability; ensure requests containing \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, or \u003ccode\u003eupdatedDate\u003c/code\u003e are rejected on both create and update paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:24:43Z","date_published":"2026-05-14T16:24:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-workspace-takeover/","summary":"FlowiseAI is vulnerable to a mass assignment vulnerability in the Assistant controller/service allowing an attacker, authenticated as a member of one workspace, to move an assistant (including configurations, instructions, tools and credentials) to another workspace by overwriting the `workspaceId` and `id` fields in the request body, leading to cross-workspace data takeover and IDOR.","title":"FlowiseAI Cross-Workspace Assistant Takeover via Mass Assignment","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-workspace-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Flowise \u003c= 3.1.1"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","cross-workspace","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI versions 3.1.1 and earlier are vulnerable to a mass assignment vulnerability in the CustomTemplate controller (\u003ccode\u003epackages/server/src/services/marketplaces/index.ts\u003c/code\u003e). This flaw allows an authenticated attacker to modify the \u003ccode\u003eworkspaceId\u003c/code\u003e of a custom template through an API request, effectively moving the template to another workspace. The vulnerability stems from the use of \u003ccode\u003eObject.assign(entity, body)\u003c/code\u003e without proper input validation, enabling the client to control critical fields like \u003ccode\u003eworkspaceId\u003c/code\u003e and \u003ccode\u003eid\u003c/code\u003e. This issue poses a significant threat as it breaks workspace isolation and allows unauthorized access to custom templates. The vulnerability was identified and a fix has been suggested via allowlisting in PR \u003ca href=\"https://github.com/FlowiseAI/Flowise/pull/6129\"\u003ehttps://github.com/FlowiseAI/Flowise/pull/6129\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker, authenticated to workspace A, obtains a valid session cookie/JWT for the Flowise web UI.\u003c/li\u003e\n\u003cli\u003eAttacker identifies or creates a custom template within workspace A and notes its entity \u003ccode\u003eid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a \u003ccode\u003ePUT /api/v1/customtemplates/\u0026lt;id\u0026gt;\u003c/code\u003e request, including a JSON body with the target workspace B\u0026rsquo;s UUID in the \u003ccode\u003e\u0026quot;workspaceId\u0026quot;\u003c/code\u003e field (e.g., \u003ccode\u003e\u0026quot;workspaceId\u0026quot;: \u0026quot;\u0026lt;workspace-B-id\u0026gt;\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server receives the request and calls \u003ccode\u003eObject.assign(updateEntity, body)\u003c/code\u003e, copying the attacker-supplied \u003ccode\u003eworkspaceId\u003c/code\u003e into the entity.\u003c/li\u003e\n\u003cli\u003eThe updated entity, now associated with workspace B, is persisted to the database.\u003c/li\u003e\n\u003cli\u003eThe custom template is now accessible to members of workspace B and can be modified or used by them.\u003c/li\u003e\n\u003cli\u003eThe attacker from workspace A loses access to the template, as it is no longer associated with their workspace.\u003c/li\u003e\n\u003cli\u003eWorkspace A\u0026rsquo;s audit logs do not reflect any unauthorized activity, as the operation appears as a normal template update.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any authenticated user to violate workspace boundaries, potentially exposing sensitive workflow templates to unauthorized users. An attacker can move a customtemplate to any workspace whose UUID they can enumerate, which is made trivial due to workspace UUIDs being exposed in API responses. Successful exploitation allows unauthorized access, modification, and usage of custom templates, potentially leading to data leaks or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a version of FlowiseAI that includes the fix from PR \u003ca href=\"https://github.com/FlowiseAI/Flowise/pull/6129\"\u003ehttps://github.com/FlowiseAI/Flowise/pull/6129\u003c/a\u003e, which implements an allowlist pattern.\u003c/li\u003e\n\u003cli\u003eImplement regression tests as described in the advisory to prevent future regressions that could reintroduce mass assignment vulnerabilities in CustomTemplate creation and update paths.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Flowise CustomTemplate WorkspaceId Modification\u003c/code\u003e to detect potential exploitation attempts by monitoring API requests to the \u003ccode\u003e/api/v1/customtemplates/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint with a modified \u003ccode\u003eworkspaceId\u003c/code\u003e in the request body.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to facilitate the detection of malicious HTTP requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:24:30Z","date_published":"2026-05-14T16:24:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowise-template-takeover/","summary":"FlowiseAI is vulnerable to cross-workspace data takeover due to mass assignment in the CustomTemplate controller, allowing an attacker to move templates to other workspaces by overwriting the `workspaceId` via API request.","title":"FlowiseAI CustomTemplate Mass Assignment Allows Cross-Workspace Template Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-flowise-template-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise (\u003c= 3.1.1)"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","cross-workspace","idor","flowiseai"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI versions 3.1.1 and earlier contain a mass assignment vulnerability in the Dataset service, allowing authenticated users to move datasets between workspaces. The vulnerability stems from the use of \u003ccode\u003eObject.assign()\u003c/code\u003e to copy request body parameters directly into Dataset entities without proper input validation or sanitization. Specifically, the \u003ccode\u003eworkspaceId\u003c/code\u003e field can be overwritten by a malicious user, leading to unauthorized access and data exposure in the target workspace. The root cause mirrors a previously patched vulnerability in the \u003ccode\u003eDocumentStore\u003c/code\u003e service, indicating a systemic issue with input handling across the application. This flaw can be exploited by any authenticated user with permission to update a dataset.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to FlowiseAI within workspace A, obtaining a valid session cookie or JWT.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a dataset within workspace A that they have permission to update.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request (PUT \u003ccode\u003e/api/v1/datasets/\u0026lt;id\u0026gt;\u003c/code\u003e) to update the target dataset.\u003c/li\u003e\n\u003cli\u003eThe request body includes a \u003ccode\u003eworkspaceId\u003c/code\u003e parameter set to the UUID of a different workspace (workspace B).\u003c/li\u003e\n\u003cli\u003eThe server-side Dataset controller uses \u003ccode\u003eObject.assign(updateEntity, body)\u003c/code\u003e to update the dataset entity, blindly accepting the malicious \u003ccode\u003eworkspaceId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe persistence layer commits the changes to the database, updating the \u003ccode\u003eworkspaceId\u003c/code\u003e of the dataset.\u003c/li\u003e\n\u003cli\u003eThe dataset is now associated with workspace B, granting access to members of workspace B.\u003c/li\u003e\n\u003cli\u003eThe attacker in workspace A loses access to the dataset, effectively transferring ownership.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any authenticated user to move datasets from one workspace to another, leading to unauthorized data access and potential data breaches. Datasets contain training and evaluation data, which may include sensitive information. Successful exploitation allows unauthorized access to this data in the destination workspace, and removes access from the original owner. Given that workspace UUIDs can be enumerated via the API, the impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from PR \u003ca href=\"https://github.com/FlowiseAI/Flowise/pull/6051\"\u003ehttps://github.com/FlowiseAI/Flowise/pull/6051\u003c/a\u003e which implements an allowlist pattern.\u003c/li\u003e\n\u003cli\u003eImplement regression tests to ensure that attempts to modify \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, or \u003ccode\u003eupdatedDate\u003c/code\u003e fields via API requests are rejected or ignored (see suggested fix in content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious updates to dataset entities with modified \u003ccode\u003eworkspaceId\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eImplement input validation on all API endpoints that modify Dataset entities to prevent mass assignment vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:24:15Z","date_published":"2026-05-14T16:24:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-dataset-takeover/","summary":"FlowiseAI is vulnerable to a mass assignment vulnerability via `Object.assign(entity, body)` which allows a client-controlled `workspaceId` to be overwritten on the Dataset entity, leading to cross-workspace data takeover and IDOR.","title":"FlowiseAI Cross-Workspace Dataset Takeover via Mass Assignment","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-dataset-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise \u003c= 3.1.1"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","idor","cross-workspace"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI versions 3.1.1 and earlier contain a mass assignment vulnerability in the DatasetRow controller/service (\u003ccode\u003epackages/server/src/services/dataset/index.ts\u003c/code\u003e). The vulnerability arises from the use of \u003ccode\u003eObject.assign(entity, body)\u003c/code\u003e without an explicit field allowlist when creating or updating DatasetRow entities. This allows an attacker to control properties like \u003ccode\u003eworkspaceId\u003c/code\u003e and \u003ccode\u003eid\u003c/code\u003e through the request body, leading to a cross-workspace data takeover. The vulnerability is similar to a previously patched issue in \u003ccode\u003eDocumentStore\u003c/code\u003e (commit 840d2ae), where an explicit field-by-field allowlist was implemented. This oversight enables an authenticated user to move DatasetRows, which contain individual training/evaluation records, between workspaces, potentially exposing sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker, authenticated as a member of workspace A, obtains a valid session cookie or JWT for the Flowise web UI.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new DatasetRow within workspace A using the documented API (or reuses an existing one).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003eid\u003c/code\u003e of the DatasetRow they control.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/v1/datasetrows/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint (or an equivalent update endpoint).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePUT\u003c/code\u003e request includes a JSON body containing \u003ccode\u003e\u0026quot;workspaceId\u0026quot;: \u0026quot;\u0026lt;workspace-B-id\u0026gt;\u0026quot;\u003c/code\u003e, where \u003ccode\u003e\u0026lt;workspace-B-id\u0026gt;\u003c/code\u003e is the UUID of a different, arbitrary workspace.\u003c/li\u003e\n\u003cli\u003eThe server-side controller receives the request and executes \u003ccode\u003eObject.assign(updateEntity, body)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eworkspaceId\u003c/code\u003e value from the request body overwrites the original \u003ccode\u003eworkspaceId\u003c/code\u003e field of the \u003ccode\u003eupdateEntity\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe persistence layer commits the modified row to the database, resulting in the DatasetRow being associated with workspace B. Members of workspace B can now access, modify, and utilize the transferred DatasetRow, while workspace A loses access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows any authenticated workspace member with the permission to update a DatasetRow to move it to any workspace. Since workspace UUIDs are exposed through API responses (e.g., \u003ccode\u003e/api/v1/workspaces\u003c/code\u003e), enumeration is trivial. This cross-workspace boundary violation exposes training/evaluation records contained in DatasetRows to unauthorized users. An attacker can also rebind a row to a Dataset in another workspace via \u003ccode\u003edatasetId\u003c/code\u003e, further exposing row content.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to FlowiseAI version 3.1.2 or later, where the fix from PR \u003ca href=\"https://github.com/FlowiseAI/Flowise/pull/6051\"\u003ehttps://github.com/FlowiseAI/Flowise/pull/6051\u003c/a\u003e has been applied, implementing an allowlist pattern.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect FlowiseAI DatasetRow WorkspaceId Modification\u0026rdquo; to detect attempts to modify the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter via the \u003ccode\u003e/api/v1/datasetrows\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement regression tests that assert requests containing \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, or \u003ccode\u003eupdatedDate\u003c/code\u003e are rejected or do not change those columns on the persisted row for both create and update paths, as suggested in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for PUT requests to \u003ccode\u003e/api/v1/datasetrows\u003c/code\u003e with unusual parameters in the request body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:24:01Z","date_published":"2026-05-14T16:24:01Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-datasetrow-takeover/","summary":"FlowiseAI is vulnerable to a mass assignment vulnerability in the DatasetRow controller/service, allowing an authenticated attacker to overwrite the `workspaceId` and `id` of a DatasetRow entity, leading to cross-workspace data takeover and IDOR.","title":"FlowiseAI DatasetRow Mass Assignment Allows Cross-Workspace Data Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-datasetrow-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise (\u003c= 3.1.1)","FlowiseAI"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","cross-workspace","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code/no-code platform for building AI orchestration flows, is susceptible to a mass assignment vulnerability in versions 3.1.1 and earlier. The vulnerability resides within the Evaluation controller/service (\u003ccode\u003epackages/server/src/services/evaluations/index.ts\u003c/code\u003e). By exploiting this flaw, an authenticated user can manipulate the \u003ccode\u003eworkspaceId\u003c/code\u003e of an Evaluation entity. This manipulation is possible due to the use of \u003ccode\u003eObject.assign(entity, body)\u003c/code\u003e without proper input validation, allowing an attacker to inject arbitrary \u003ccode\u003eworkspaceId\u003c/code\u003e values into the request body. The vulnerability poses a significant risk as it enables cross-workspace data access and manipulation, potentially exposing sensitive information to unauthorized users. The root cause is similar to a previously patched vulnerability in \u003ccode\u003eDocumentStore\u003c/code\u003e (commit 840d2ae), indicating a pattern of insecure object assignment within the codebase.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to FlowiseAI as a member of workspace A, obtaining a valid session cookie or JWT.\u003c/li\u003e\n\u003cli\u003eAttacker identifies or creates an Evaluation entity within workspace A, noting its unique \u003ccode\u003eid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker obtains the \u003ccode\u003eworkspaceId\u003c/code\u003e of a target workspace B, potentially through API enumeration (e.g., \u003ccode\u003e/api/v1/workspaces\u003c/code\u003e) or by inspecting other entities\u0026rsquo; \u003ccode\u003eworkspaceId\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/v1/evaluations/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint, using the \u003ccode\u003eid\u003c/code\u003e of the Evaluation entity from workspace A.\u003c/li\u003e\n\u003cli\u003eThe request body includes a JSON payload with the \u003ccode\u003e\u0026quot;workspaceId\u0026quot;\u003c/code\u003e field set to the \u003ccode\u003eworkspaceId\u003c/code\u003e of workspace B.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s Evaluation controller receives the request and uses \u003ccode\u003eObject.assign(updateEntity, body)\u003c/code\u003e to update the Evaluation entity. The attacker-controlled \u003ccode\u003eworkspaceId\u003c/code\u003e overwrites the existing value.\u003c/li\u003e\n\u003cli\u003eThe persistence layer commits the changes to the database, associating the Evaluation entity with workspace B.\u003c/li\u003e\n\u003cli\u003eThe Evaluation entity is now accessible to members of workspace B and inaccessible to members of workspace A, resulting in unauthorized data access and potential modification.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows any authenticated user to move Evaluation entities between workspaces. This cross-workspace boundary violation allows an attacker to access and potentially modify evaluation runs, including captured prompts, model outputs, and scoring data, belonging to other workspaces. Successful exploitation leads to a high level of data exposure, as the attacker can exfiltrate or manipulate data that should be isolated to specific workspaces. The vulnerability affects FlowiseAI versions up to and including 3.1.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlowiseAI to the latest version, which includes the fix from PR \u003ca href=\"https://github.com/FlowiseAI/Flowise/pull/6050\"\u003ehttps://github.com/FlowiseAI/Flowise/pull/6050\u003c/a\u003e that implements an allowlist pattern for updating Evaluation entities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlowiseAI Evaluation WorkspaceId Manipulation\u003c/code\u003e to identify potential exploitation attempts by monitoring PUT requests to the \u003ccode\u003e/api/v1/evaluations/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint with modified \u003ccode\u003eworkspaceId\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eImplement regression tests, as suggested in the source, to ensure that future code changes do not reintroduce the mass assignment vulnerability.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional input validation on API endpoints to prevent similar mass assignment vulnerabilities in other parts of the application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:23:48Z","date_published":"2026-05-14T16:23:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-evaluation-takeover/","summary":"FlowiseAI is vulnerable to a mass assignment vulnerability (fixed in PR 6050) that allows authenticated users to move Evaluation entities between workspaces by overwriting the `workspaceId` field via API request, leading to unauthorized data access.","title":"FlowiseAI Evaluation Cross-Workspace Data Takeover via Mass Assignment","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-evaluation-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise \u003c= 3.1.1","FlowiseAI"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","idor","privilege-escalation","cloud"],"_cs_type":"threat","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI versions 3.1.1 and earlier are susceptible to a mass assignment vulnerability within the Evaluator entity. This flaw arises from the Evaluator controller/service\u0026rsquo;s use of \u003ccode\u003eObject.assign(entity, body)\u003c/code\u003e without proper input validation, allowing client-controlled parameters such as \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e to be injected via API requests. An attacker, authenticated within one workspace, can leverage this vulnerability to move Evaluator entities—and potentially sensitive scoring rubrics—to other workspaces. This can result in unauthorized access to data, privilege escalation, and a loss of data ownership. This issue is similar to a previously patched vulnerability in the \u003ccode\u003eDocumentStore\u003c/code\u003e (commit 840d2ae), indicating a systemic pattern of insecure object assignment within the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the FlowiseAI web UI as a member of workspace A, obtaining a valid session cookie or JWT.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or identifies an existing Evaluator entity within workspace A.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/v1/evaluators/\u0026lt;id\u0026gt;\u003c/code\u003e endpoint (or equivalent) targeting the Evaluator entity identified in the previous step.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a JSON body within the \u003ccode\u003ePUT\u003c/code\u003e request, specifically setting the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter to the UUID of a different workspace (workspace B).\u003c/li\u003e\n\u003cli\u003eThe FlowiseAI server receives the request and, due to the mass assignment vulnerability, uses \u003ccode\u003eObject.assign(updateEntity, body)\u003c/code\u003e to update the Evaluator entity, overwriting its \u003ccode\u003eworkspaceId\u003c/code\u003e with the attacker-supplied value.\u003c/li\u003e\n\u003cli\u003eThe persistence layer commits the changes to the database, effectively transferring ownership of the Evaluator entity to workspace B.\u003c/li\u003e\n\u003cli\u003eMembers of workspace B can now access, modify, and utilize the transferred Evaluator entity.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s workspace A loses access to the Evaluator, and no suspicious activity is logged in workspace A\u0026rsquo;s audit logs, masking the malicious action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any authenticated user with permission to update an evaluator to move it to any workspace. The impact of a successful attack includes unauthorized access to evaluators and their scoring rubrics by members of the target workspace, data exfiltration, and potential privilege escalation. An attacker can enumerate workspace UUIDs via the \u003ccode\u003e/api/v1/workspaces\u003c/code\u003e API listing or through other API responses, making it trivial to identify valid target workspaces.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlowiseAI to version 3.1.2 or later, where the fix from pull request #6050 has been applied.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect FlowiseAI Evaluator WorkspaceId Manipulation via API\u0026rdquo; to identify attempts to exploit this vulnerability by monitoring API requests that modify the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement regression tests to verify that attempts to modify \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, or \u003ccode\u003eupdatedDate\u003c/code\u003e via API requests are rejected or ignored by the server.\u003c/li\u003e\n\u003cli\u003eApply the allowlist pattern to all controllers that handle entity updates to prevent similar mass assignment vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:23:34Z","date_published":"2026-05-14T16:23:34Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-evaluator-takeover/","summary":"FlowiseAI is vulnerable to a mass assignment vulnerability in the Evaluator controller/service, where an attacker can manipulate the `workspaceId` during evaluator creation or updates, leading to cross-workspace data takeover and IDOR.","title":"FlowiseAI Evaluator Cross-Workspace Takeover via Mass Assignment","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-evaluator-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FlowiseAI (\u003c= 3.1.1)"],"_cs_severities":["high"],"_cs_tags":["mass assignment","tenant isolation","flowiseai","web application"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI version 3.1.1 and earlier is vulnerable to a mass assignment vulnerability in its assistant update endpoint. This vulnerability allows authenticated users to modify server-controlled properties, including workspaceId, createdDate, and updatedDate. By manipulating these properties, particularly the workspaceId, an attacker can reassign assistants to arbitrary workspaces. This poses a significant risk in multi-tenant deployments where tenant isolation is critical. The vulnerability arises due to missing server-side validation and authorization checks, allowing user-controlled request bodies to override internal, server-controlled properties. This can lead to unauthorized data access and modification across different workspaces.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the FlowiseAI interface with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker captures the HTTP request sent to update an assistant resource using the PUT \u003ccode\u003e/api/v1/assistants/{assistantId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the JSON request body to include the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter, setting it to the target workspace\u0026rsquo;s ID.\u003c/li\u003e\n\u003cli\u003eThe attacker also injects \u003ccode\u003ecreatedDate\u003c/code\u003e and \u003ccode\u003eupdatedDate\u003c/code\u003e parameters to control the assistant\u0026rsquo;s metadata.\u003c/li\u003e\n\u003cli\u003eAttacker sends the modified request to the \u003ccode\u003e/api/v1/assistants/{assistantId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server accepts the attacker-controlled \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e values without proper validation.\u003c/li\u003e\n\u003cli\u003eThe assistant resource is reassigned to the attacker-specified workspace, breaking tenant isolation.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access and manipulate the reassigned assistant within the target workspace, potentially gaining unauthorized access to sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe mass assignment vulnerability in FlowiseAI allows authenticated users to perform unauthorized actions, including cross-workspace reassignment of assistants and modification of metadata. In multi-tenant deployments, this can lead to a complete breakdown of tenant isolation, allowing attackers to access and manipulate resources belonging to other tenants. The confirmed impacts include unauthorized modification of assistant metadata and cross-workspace data access. If successful, this can lead to data breaches, compliance violations, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlowiseAI Assistant WorkspaceId Manipulation\u003c/code\u003e to detect attempts to modify the workspaceId parameter in the \u003ccode\u003e/api/v1/assistants/{assistantId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlowiseAI Assistant Date Field Manipulation\u003c/code\u003e to detect attempts to modify the createdDate or updatedDate parameters in the \u003ccode\u003e/api/v1/assistants/{assistantId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eUpgrade FlowiseAI to a version greater than 3.1.1 to remediate the mass assignment vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:00:09Z","date_published":"2026-05-14T15:00:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-mass-assignment/","summary":"FlowiseAI version 3.1.1 and earlier contains a mass assignment vulnerability in the assistant update endpoint, allowing authenticated users to modify server-controlled properties like workspaceId, createdDate, and updatedDate, enabling cross-workspace reassignment of assistants and breaking tenant isolation in multi-workspace environments.","title":"FlowiseAI Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-mass-assignment/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise (\u003c= 3.1.1)"],"_cs_severities":["high"],"_cs_tags":["credential-access","data-leak","web-application"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI applications, is vulnerable to a high-severity credential data leak. Versions 3.1.1 and earlier fail to properly sanitize API responses when fetching credentials using a \u003ccode\u003ecredentialName\u003c/code\u003e filter. This oversight exposes the \u003ccode\u003eencryptedData\u003c/code\u003e field, which should be omitted to protect sensitive information. An authenticated attacker can exploit this vulnerability to extract encrypted API keys, passwords, and tokens used to access services like OpenAI and AWS. Successful exploitation, coupled with unauthorized access to the \u003ccode\u003e~/.flowise/encryption.key\u003c/code\u003e file, allows for complete credential theft, potentially compromising integrated services and sensitive data. This vulnerability was published on May 14, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a FlowiseAI instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an API request to the \u003ccode\u003e/api/v1/credentials\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003ecredentialName\u003c/code\u003e parameter to filter the credentials being fetched, such as \u003ccode\u003ecredentialName=openAIApi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe FlowiseAI server processes the request via \u003ccode\u003epackages/server/src/services/credentials/index.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to a flaw in the code at lines 62-63 and 70-71, the \u003ccode\u003eencryptedData\u003c/code\u003e field is not stripped from the API response.\u003c/li\u003e\n\u003cli\u003eThe server returns the API response containing the \u003ccode\u003eencryptedData\u003c/code\u003e field, which includes AES-encrypted credentials.\u003c/li\u003e\n\u003cli\u003eIf the attacker gains access to the \u003ccode\u003e~/.flowise/encryption.key\u003c/code\u003e file (often written with default permissions), they can decrypt the \u003ccode\u003eencryptedData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the plaintext credentials, enabling them to compromise integrated services and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows authenticated users to steal encrypted credential data from FlowiseAI instances. If the attacker also gains access to the encryption key, this leads to full credential theft, potentially compromising integrated services like OpenAI and AWS. The number of victims is dependent on the number of vulnerable FlowiseAI instances exposed to authenticated attackers. If successful, the attacker could gain unauthorized access to critical cloud services and sensitive data, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlowiseAI Credential API Leak\u003c/code\u003e to identify requests that could be used to exploit this vulnerability by monitoring webserver logs for requests to the \u003ccode\u003e/api/v1/credentials\u003c/code\u003e endpoint with the \u003ccode\u003ecredentialName\u003c/code\u003e parameter present in the URL.\u003c/li\u003e\n\u003cli\u003eUpgrade FlowiseAI to a version greater than 3.1.1 to patch the vulnerability as per the information in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor file access events for unauthorized access to the \u003ccode\u003e~/.flowise/encryption.key\u003c/code\u003e file using the \u003ccode\u003eDetect FlowiseAI Encryption Key Access\u003c/code\u003e Sigma rule to prevent credential decryption after exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T14:59:56Z","date_published":"2026-05-14T14:59:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-credential-leak/","summary":"FlowiseAI versions 3.1.1 and earlier leak encrypted credential data when API requests include a `credentialName` filter, potentially leading to full credential theft if combined with access to the encryption key.","title":"FlowiseAI Credential Data Leak via Filtered API Request","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-credential-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise \u003c= 3.1.1"],"_cs_severities":["critical"],"_cs_tags":["rce","sandbox-escape","nodevm"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI orchestration flows, is vulnerable to authenticated remote code execution (RCE) affecting versions 3.1.1 and earlier. The vulnerability stems from a missing authorization check on the \u003ccode\u003e/api/v1/node-custom-function\u003c/code\u003e endpoint, enabling any authenticated user or API key holder to submit malicious JavaScript code to the \u003ccode\u003eCustom JS Function\u003c/code\u003e node. When the \u003ccode\u003eE2B_APIKEY\u003c/code\u003e environment variable is not configured, the platform falls back to a \u003ccode\u003eNodeVM\u003c/code\u003e sandbox. Attackers can escape this sandbox, gain access to the host\u0026rsquo;s \u003ccode\u003eprocess\u003c/code\u003e object, and execute arbitrary system commands. This allows attackers to compromise the Flowise server, potentially leading to data breaches, service disruption, or further lateral movement within the network. Most self-hosted instances are affected because the NodeVM sandbox is enabled by default when \u003ccode\u003eE2B_APIKEY\u003c/code\u003e is not explicitly set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the FlowiseAI application using valid credentials or a valid API key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JavaScript payload designed to escape the NodeVM sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003e/api/v1/node-custom-function\u003c/code\u003e endpoint, including the malicious JavaScript code in the \u003ccode\u003ejavascriptFunction\u003c/code\u003e parameter within the request body.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks, executes the attacker-supplied JavaScript code within the Custom JS Function node.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript exploits an exception path within the NodeVM to escape the sandbox, gaining access to the host\u0026rsquo;s \u003ccode\u003eprocess\u003c/code\u003e object and \u003ccode\u003echild_process\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003echild_process\u003c/code\u003e module to execute arbitrary system commands on the Flowise server. For example, \u003ccode\u003ecp.execSync('id').toString().trim()\u003c/code\u003e to get the user ID.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the output of the executed command and potentially uses it to gather sensitive information or further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised server for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows any authenticated Flowise user to execute arbitrary commands on the Flowise server. This can lead to a full compromise of the server, including the ability to read environment variables and secrets, access the filesystem, and make outbound network requests. The default configuration, which relies on the vulnerable NodeVM sandbox when \u003ccode\u003eE2B_APIKEY\u003c/code\u003e is not configured, increases the attack surface, as the majority of self-hosted Flowise instances are likely affected. A successful attack can result in data breaches, service disruption, and further exploitation of the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;FlowiseAI NodeVM Sandbox Escape Attempt\u0026rdquo; Sigma rule to detect attempts to exploit this vulnerability by identifying the use of the \u003ccode\u003eError\u003c/code\u003e object and constructor chain manipulation within the \u003ccode\u003eCustom JS Function\u003c/code\u003e node.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;FlowiseAI Custom Function RCE via API\u0026rdquo; Sigma rule to detect HTTP requests to the \u003ccode\u003e/api/v1/node-custom-function\u003c/code\u003e endpoint with suspicious JavaScript payloads containing potentially malicious code execution patterns.\u003c/li\u003e\n\u003cli\u003eImmediately apply the recommended remediation steps: add explicit permission gating to \u003ccode\u003e/api/v1/node-custom-function\u003c/code\u003e, fail closed if \u003ccode\u003eE2B_APIKEY\u003c/code\u003e is absent, and restrict this endpoint from generic API key access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T14:59:44Z","date_published":"2026-05-14T14:59:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-rce/","summary":"FlowiseAI is vulnerable to authenticated remote code execution (RCE) due to a missing route-level authorization in the `/api/v1/node-custom-function` endpoint, allowing any authenticated user to execute arbitrary JavaScript and escape the NodeVM sandbox to run system commands.","title":"FlowiseAI Authenticated Remote Code Execution via NodeVM Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise"],"_cs_severities":["high"],"_cs_tags":["mass-assignment","privilege-escalation","cross-workspace","flowiseai"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eA mass assignment vulnerability has been identified in FlowiseAI versions 3.1.1 and earlier. The vulnerability resides in the chatflow update endpoint, which lacks proper server-side validation and authorization checks. This allows authenticated users to manipulate server-controlled properties of chatflow objects, such as \u003ccode\u003edeployed\u003c/code\u003e, \u003ccode\u003eisPublic\u003c/code\u003e, and \u003ccode\u003eworkspaceId\u003c/code\u003e, by including them in the request body. By exploiting this flaw, an attacker can reassign chatflows to different workspaces, modify deployment settings, and alter visibility settings, potentially leading to unauthorized access and control over resources in multi-tenant environments. This vulnerability is identified as CVE-2026-42863.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the FlowiseAI interface with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures a legitimate request used to update a chatflow object via the \u003ccode\u003ePUT /api/v1/chatflows/{chatflowId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the captured request body to include server-controlled fields such as \u003ccode\u003edeployed\u003c/code\u003e, \u003ccode\u003eisPublic\u003c/code\u003e, and \u003ccode\u003eworkspaceId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eworkspaceId\u003c/code\u003e to the ID of a workspace controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the \u003ccode\u003e/api/v1/chatflows/{chatflowId}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe FlowiseAI server accepts the modified request and updates the chatflow object in the database without proper validation.\u003c/li\u003e\n\u003cli\u003eThe chatflow is now reassigned to the attacker\u0026rsquo;s workspace, granting the attacker unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker can further modify the chatflow, change its visibility, or alter its deployment status.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe mass assignment vulnerability in FlowiseAI allows authenticated users to manipulate server-controlled attributes of chatflows. This can result in unauthorized modification of chatflow visibility, deployment state changes, and cross-workspace reassignment of chatflows. In multi-tenant environments, this vulnerability breaks tenant isolation boundaries, enabling attackers to move chatflows between workspaces without authorization. Successful exploitation can lead to cross-workspace workflow takeover, unauthorized exposure of private workflows, and manipulation of deployed agent workflows, potentially affecting all FlowiseAI installations with versions 3.1.1 or lower.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect FlowiseAI Chatflow Mass Assignment Attempt via API\u0026rdquo; to detect attempts to modify restricted fields via the chatflow update API endpoint.\u003c/li\u003e\n\u003cli\u003eApply input validation to the \u003ccode\u003ePUT /api/v1/chatflows/{chatflowId}\u003c/code\u003e endpoint to prevent modification of \u003ccode\u003edeployed\u003c/code\u003e, \u003ccode\u003eisPublic\u003c/code\u003e, \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, \u003ccode\u003eupdatedDate\u003c/code\u003e, \u003ccode\u003ecategory\u003c/code\u003e, and \u003ccode\u003etype\u003c/code\u003e parameters, mitigating CVE-2026-42863.\u003c/li\u003e\n\u003cli\u003eUpgrade FlowiseAI to a patched version that addresses the mass assignment vulnerability to prevent unauthorized modification of chatflow attributes, protecting against CVE-2026-42863.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T14:55:39Z","date_published":"2026-05-14T14:55:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-chatflow-mass-assignment/","summary":"A mass assignment vulnerability exists in FlowiseAI's chatflow update endpoint (CVE-2026-42863), allowing authenticated users to modify server-controlled properties like `deployed`, `isPublic`, and `workspaceId` due to missing server-side validation, leading to cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings.","title":"FlowiseAI Chatflow Update Endpoint Mass Assignment Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-chatflow-mass-assignment/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise (\u003c= 3.1.1)"],"_cs_severities":["medium"],"_cs_tags":["credential-access","brute-force","flowiseai"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI applications, contains a vulnerability in its basic authentication mechanism. Specifically, the \u003ccode\u003echeckBasicAuth\u003c/code\u003e endpoint validates credentials in plaintext without rate limiting, making it susceptible to brute-force attacks. The vulnerability, present in versions 3.1.1 and earlier, stems from the lack of rate limiting and the use of non-constant time comparison. The endpoint also returns distinct messages for successful and failed attempts, enabling attackers to enumerate valid usernames. Exploitation allows unauthorized access to the application\u0026rsquo;s functionalities and data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies the \u003ccode\u003echeckBasicAuth\u003c/code\u003e endpoint, typically \u003ccode\u003e/api/v1/checkBasicAuth\u003c/code\u003e, which is used for basic authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003echeckBasicAuth\u003c/code\u003e endpoint, including a username and password in the request body.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and retrieves the username and password from the request body.\u003c/li\u003e\n\u003cli\u003eThe server compares the provided username and password directly with the values stored in the \u003ccode\u003eFLOWISE_USERNAME\u003c/code\u003e and \u003ccode\u003eFLOWISE_PASSWORD\u003c/code\u003e environment variables using the JavaScript \u003ccode\u003e===\u003c/code\u003e operator.\u003c/li\u003e\n\u003cli\u003eIf the credentials match, the server responds with a JSON message indicating \u0026ldquo;Authentication successful\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eIf the credentials do not match, the server responds with a different JSON message indicating \u0026ldquo;Authentication failed\u0026rdquo;. This allows enumeration.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively sends multiple requests with different username and password combinations, exploiting the lack of rate limiting to brute-force the credentials.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains unauthorized access to the FlowiseAI application and its resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass authentication and gain unauthorized access to FlowiseAI applications. This can lead to data breaches, unauthorized modification of AI workflows, and potential compromise of sensitive information processed by the AI models. Given the lack of rate limiting, even relatively weak passwords can be compromised through brute-force attacks. This issue affects FlowiseAI installations up to version 3.1.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/api/v1/checkBasicAuth\u003c/code\u003e endpoint to prevent brute-force attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect FlowiseAI Basic Auth Brute Force Attempts\u0026rdquo; to identify suspicious activity on the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eModify the authentication logic to use constant-time comparison functions to mitigate timing attacks, as described in the overview section of this brief.\u003c/li\u003e\n\u003cli\u003eChange the application to return generic error messages to prevent username enumeration, as described in the overview section of this brief.\u003c/li\u003e\n\u003cli\u003eUpgrade FlowiseAI to a version beyond 3.1.1 where this vulnerability is resolved.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T14:55:26Z","date_published":"2026-05-14T14:55:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-basic-auth/","summary":"FlowiseAI exposes a basic authentication endpoint without rate limiting, allowing attackers to brute-force credentials and gain unauthorized access to the application.","title":"FlowiseAI Exposes Basic Auth Credentials via API","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-basic-auth/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise \u003c= 3.1.1"],"_cs_severities":["high"],"_cs_tags":["mass assignment","tenant isolation","web application"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI workflows, is vulnerable to a mass assignment flaw (CVE-2026-42861) affecting versions 3.1.1 and earlier.  The vulnerability resides in the \u003ccode\u003e/api/v1/variables/{variableId}\u003c/code\u003e endpoint, which is used for updating variable resources. Due to missing server-side validation, an authenticated attacker can modify critical, server-controlled properties such as \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e. This can lead to unauthorized cross-workspace reassignment of variables, potentially compromising tenant isolation in multi-tenant environments. The issue was reported in May 2026, and defenders need to implement mitigations to prevent unauthorized data access and manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to FlowiseAI with valid user credentials.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a target variable ID within the application they wish to manipulate.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious PUT request to \u003ccode\u003e/api/v1/variables/{variableId}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body includes the \u003ccode\u003eworkspaceId\u003c/code\u003e field, setting it to the ID of a different workspace the attacker wishes to access.\u003c/li\u003e\n\u003cli\u003eThe request body may also include modified \u003ccode\u003ecreatedDate\u003c/code\u003e and \u003ccode\u003eupdatedDate\u003c/code\u003e values for the variable.\u003c/li\u003e\n\u003cli\u003eThe FlowiseAI server, lacking proper validation, accepts the attacker-supplied \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe server updates the variable in the database with the attacker-controlled values, effectively reassigning the variable to the attacker\u0026rsquo;s chosen workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access and potentially manipulate resources within the targeted workspace using the reassigned variable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows authenticated users to manipulate internal variable attributes, potentially leading to cross-workspace reassignment of variables, unauthorized modification of metadata, and tenant isolation bypass in multi-workspace deployments. This can allow an attacker to move variables between workspaces without proper authorization. The vulnerability affects FlowiseAI installations version 3.1.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and authorization checks on the \u003ccode\u003e/api/v1/variables/{variableId}\u003c/code\u003e endpoint to prevent modification of server-controlled properties like \u003ccode\u003eworkspaceId\u003c/code\u003e, \u003ccode\u003ecreatedDate\u003c/code\u003e, and \u003ccode\u003eupdatedDate\u003c/code\u003e as described in CVE-2026-42861.\u003c/li\u003e\n\u003cli\u003eMonitor PUT requests to the \u003ccode\u003e/api/v1/variables/{variableId}\u003c/code\u003e endpoint for attempts to modify the \u003ccode\u003eworkspaceId\u003c/code\u003e parameter to detect potential exploitation attempts. Use the detection rule \u003ccode\u003eDetect FlowiseAI Mass Assignment in Variable Update\u003c/code\u003e to identify anomalous requests.\u003c/li\u003e\n\u003cli\u003eImplement workspace access controls and verify that users can only access variables within their assigned workspace, regardless of the \u003ccode\u003eworkspaceId\u003c/code\u003e attribute.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T14:53:24Z","date_published":"2026-05-14T14:53:24Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowise-mass-assignment/","summary":"FlowiseAI versions 3.1.1 and earlier contain a mass assignment vulnerability in the variable update endpoint allowing authenticated users to modify server-controlled properties like workspaceId, createdDate, and updatedDate, potentially breaking tenant isolation in multi-workspace environments (CVE-2026-42861).","title":"FlowiseAI Mass Assignment Vulnerability in Variable Update Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-05-flowise-mass-assignment/"}],"language":"en","title":"CraftedSignal Threat Feed — FlowiseAI","version":"https://jsonfeed.org/version/1.1"}