PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46476 FlowiseAI CVE debrief

CVE-2026-46476 is a HIGH severity vulnerability in Flowise, a drag & drop user interface to build customized large language model flows. The issue allows for a cross-workspace template takeover due to CustomTemplate create and update mass-assignment. This vulnerability was patched in version 3.1.2.

Vendor
FlowiseAI
Product
Flowise
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-15
Advisory published
2026-06-08
Advisory updated
2026-06-15

Who should care

Users of Flowise, especially those hosting it in a multi-workspace environment, should be aware of this vulnerability. An attacker with low privileges could potentially exploit this issue to take over templates across different workspaces.

Technical summary

The vulnerability exists in the CustomTemplate create and update functionality of Flowise, allowing for mass-assignment. This could lead to a cross-workspace template takeover. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.7, indicating a HIGH severity level.

Defensive priority

HIGH

Recommended defensive actions

  • Users of Flowise should update to version 3.1.2 or later to mitigate this vulnerability.
  • Review and restrict the permissions of users who can create and update CustomTemplates.
  • Monitor for any suspicious activity related to template modifications.

Evidence notes

The CVE-2026-46476 vulnerability was published on [cve-org] and additional details can be found on [nvd]. The vendor has released a patch for this issue, which is documented in [ref-4] and [ref-5].

Official resources

CVE-2026-46476 was published on 2026-06-08T16:16:41.950Z and modified on 2026-06-15T14:04:20.547Z.