PatchSiren cyber security CVE debrief

CVE-2026-42861 FlowiseAI CVE debrief

A high-severity vulnerability exists in FlowiseAI Flowise, allowing authenticated users to manipulate workspace IDs and reassign variables to arbitrary workspaces. This issue, CVE-2026-42861, has been patched in version 3.1.2.

Vendor: FlowiseAI
Product: Flowise
CVSS: HIGH 7.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-08
Original CVE updated: 2026-06-11
Advisory published: 2026-06-08
Advisory updated: 2026-06-11

Who should care

Users of FlowiseAI Flowise, especially those in multi-workspace environments, should be aware of this vulnerability and take action to protect themselves.

Technical summary

A mass assignment vulnerability exists in the variable update endpoint of FlowiseAI Flowise. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces. This behavior may break tenant isolation in multi-workspace environments.

Defensive priority

high

Recommended defensive actions

Upgrade to FlowiseAI Flowise version 3.1.2 or later.
Review and restrict access to the variable update endpoint.
Implement additional validation and authorization checks for workspaceId and other server-controlled properties.

Evidence notes

CVE-2026-42861 has a CVSS score of 7.6 and is considered HIGH severity. The vulnerability was published on 2026-06-08T16:16:39.503Z and modified on 2026-06-11T03:53:34.103Z.

Official resources

CVE-2026-42861 CVE record
CVE.org
CVE-2026-42861 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Product, Release Notes
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory

CVE-2026-42861 was published on 2026-06-08T16:16:39.503Z and modified on 2026-06-11T03:53:34.103Z.