CVE-2026-42862 FlowiseAI CVE debrief

Who should care

Users of FlowiseAI Flowise, especially those with multi-workspace environments, should be aware of this vulnerability and take immediate action to patch their installations.

Technical summary

A mass assignment vulnerability exists in the tool update endpoint of FlowiseAI Flowise. Prior to version 3.1.2, authenticated users can modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. This is possible due to missing server-side validation and authorization checks. An attacker can manipulate the workspaceId field, reassigning tools to arbitrary workspaces and breaking tenant isolation in multi-workspace environments.

Defensive priority

High

Recommended defensive actions

• Update FlowiseAI Flowise to version 3.1.2 or later to patch the vulnerability.
• Review and restrict access to the tool update endpoint to ensure only authorized users can modify tool resources.
• Monitor your FlowiseAI Flowise installation for any suspicious activity related to tool updates and workspace assignments.

Evidence notes

The CVE-2026-42862 vulnerability has been patched in FlowiseAI Flowise version 3.1.2. For more information, see [ref-4](https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2) and [ref-5](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x5v6-pj28-cwwm).

Official resources