VYPR
← All advisories
High severityNVD Advisory· Published May 14, 2026· Updated May 14, 2026

FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

CVE-2026-42862

Description

Summary

A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI.

The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource.

Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments.

Details

The endpoint responsible for updating tools:

PUT /api/v1/tools/{toolId}

accepts a JSON request body containing tool metadata.

However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.

Server-controlled fields that can be manipulated include:

  1. workspaceId
  2. createdDate
  3. updatedDate

The request body is directly merged into the underlying database entity without proper DTO validation or authorization checks.

PoC

Authenticate to the Flowise interface.

Capture the request used to update a tool:

PUT /api/v1/tools/<TOOL_ID>
Content-Type: application/json

Modify the request body by injecting additional fields:

{
  "name": "aaa",
  "description": "bbb",
  "color": "linear-gradient(rgb(109,215,45), rgb(136,170,134))",
  "schema": "[]",
  "func": "",
  "iconSrc": "test",
  "workspaceId": "11111111-2222-3333-4444-555555555555",
  "createdDate": "1995-03-06T14:17:50.000Z",
  "updatedDate": "1995-03-06T14:17:50.000Z"
}

Send the request.

Observe that the response includes the manipulated fields:

{
  "workspaceId": "11111111-2222-3333-4444-555555555555",
  "createdDate": "1995-03-06T14:17:50.000Z"
}

This confirms that client-controlled values are accepted and persisted by the server.

Impact

This vulnerability allows authenticated users to manipulate internal attributes of tool resources.

Confirmed impacts include:

  • Cross-workspace reassignment of tools (workspaceId)
  • Unauthorized modification of metadata (createdDate, updatedDate)

In multi-tenant deployments, this may allow an attacker to move tools between workspaces without authorization, breaking tenant isolation boundaries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mass assignment in FlowiseAI tool update endpoint allows authenticated users to reassign tools to arbitrary workspaces, breaking tenant isolation.

Vulnerability

The PUT /api/v1/tools/{toolId} endpoint in FlowiseAI (versions prior to 3.1.2) suffers from a mass assignment vulnerability. The server directly merges the JSON request body into the database entity without validating which fields are allowed. This allows an authenticated user to inject server-controlled properties such as workspaceId, createdDate, and updatedDate [3][4].

Exploitation

An attacker must be authenticated to the Flowise interface. They capture a legitimate tool update request and modify the JSON body to include additional fields like "workspaceId": "11111111-2222-3333-4444-555555555555". The server accepts and persists these values, as demonstrated in the published PoC [3][4].

Impact

Successful exploitation enables cross-workspace reassignment of tools by manipulating the workspaceId field, breaking tenant isolation in multi-workspace environments. Additionally, an attacker can arbitrarily modify metadata timestamps (createdDate, updatedDate) [3][4].

Mitigation

The issue is fixed in FlowiseAI version 3.1.2, released on 2026-05-14 [1]. Users should upgrade to this version or later. No workaround is documented; the fix introduces proper DTO validation and authorization checks on the tool update endpoint [1][3].

References
  1. Release flowise@3.1.2 · FlowiseAI/Flowise
  2. CVE-2026-42862 - GitHub Advisory Database
  3. Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignment

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
flowisenpm
< 3.1.23.1.2

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.