PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46478 FlowiseAI CVE debrief

CVE-2026-46478 is a high-severity vulnerability in Flowise, a drag & drop user interface for building customized large language model flows. The issue, tracked as CWE-915, allows for cross-workspace row takeover due to DatasetRow create and update mass-assignment vulnerabilities prior to version 3.1.2. This vulnerability has a CVSS score of 7.7 and is considered HIGH severity.

Vendor
FlowiseAI
Product
Flowise
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-15
Advisory published
2026-06-08
Advisory updated
2026-06-15

Who should care

Users of Flowise, especially those utilizing versions prior to 3.1.2, should be aware of this vulnerability. It is recommended to update to version 3.1.2 or later to mitigate this issue.

Technical summary

The vulnerability in Flowise arises from mass-assignment issues in DatasetRow create and update operations. This allows an attacker to take over rows across different workspaces, potentially leading to unauthorized access and manipulation of sensitive data. The issue has been addressed in Flowise version 3.1.2.

Defensive priority

HIGH

Recommended defensive actions

  • Update Flowise to version 3.1.2 or later to patch the vulnerability.
  • Review and restrict DatasetRow create and update operations to ensure proper authorization and validation.

Evidence notes

The CVE-2026-46478 vulnerability details were obtained from the official CVE record and NVD database. The issue has been patched in Flowise version 3.1.2, as noted in the release notes and vendor advisory.

Official resources

CVE-2026-46478 was published on 2026-06-08T16:16:42.277Z and modified on 2026-06-15T13:58:37.763Z.