PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46479 FlowiseAI CVE debrief

CVE-2026-46479 is a high-severity vulnerability in Flowise, a drag & drop user interface to build customized large language model flows. The vulnerability, with a CVSS score of 7.7, allows for cross-workspace evaluation takeover due to mass-assignment issues in evaluation create and update operations. This issue was patched in version 3.1.2 of Flowise.

Vendor
FlowiseAI
Product
Flowise
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-15
Advisory published
2026-06-08
Advisory updated
2026-06-15

Who should care

Users of Flowise, especially those who manage large language model flows across multiple workspaces, should be aware of this vulnerability. It is crucial for them to update to version 3.1.2 or later to mitigate the risk of cross-workspace evaluation takeover.

Technical summary

The vulnerability in Flowise arises from mass-assignment issues in the create and update operations for evaluations. This allows an attacker with low privileges to take over evaluations across different workspaces, potentially leading to unauthorized access and manipulation of sensitive data and models.

Defensive priority

High

Recommended defensive actions

  • Update Flowise to version 3.1.2 or later.
  • Review and restrict evaluation create and update operations to ensure proper authorization and validation of user input.
  • Monitor Flowise instances for any suspicious activity related to evaluations.

Evidence notes

The CVE record and details were obtained from official sources, including CVE.org and the National Vulnerability Database (NVD).

Official resources

CVE-2026-46479 was published on 2026-06-08T16:16:42.443Z and modified on 2026-06-15T13:56:30.973Z.