PatchSiren cyber security CVE debrief
CVE-2026-46441 FlowiseAI CVE debrief
A high-severity vulnerability was discovered in FlowiseAI, a drag-and-drop user interface for building customized large language model flows. The issue, tracked as CVE-2026-46441, is a mass assignment vulnerability in the assistant update endpoint. This vulnerability allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces, breaking tenant isolation in multi-workspace environments.
- Vendor
- FlowiseAI
- Product
- Flowise
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-11
Who should care
Users of FlowiseAI, especially those operating in multi-workspace environments, should be aware of this vulnerability. The issue affects FlowiseAI versions prior to 3.1.2.
Technical summary
CVE-2026-46441 is a high-severity vulnerability with a CVSS score of 7.6. It is caused by a mass assignment issue in the assistant update endpoint of FlowiseAI. The vulnerability allows authenticated users to modify sensitive properties, potentially leading to unauthorized access and data manipulation.
Defensive priority
HIGH
Recommended defensive actions
- Update FlowiseAI to version 3.1.2 or later to patch the vulnerability.
- Review and restrict access to the assistant update endpoint to prevent unauthorized modifications.
- Monitor for suspicious activity in multi-workspace environments.
Evidence notes
The vulnerability was patched in FlowiseAI version 3.1.2. Users can find more information and the patched version at [ref-4](https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2).
Official resources
-
CVE-2026-46441 CVE record
CVE.org
-
CVE-2026-46441 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE-2026-46441 was published on 2026-06-08T16:16:41.190Z and modified on 2026-06-11T04:06:52.607Z.