PatchSiren cyber security CVE debrief
CVE-2026-46480 FlowiseAI CVE debrief
CVE-2026-46480 is a HIGH-severity vulnerability in Flowise, a drag & drop user interface for building customized large language model flows. The issue, patched in version 3.1.2, allows cross-workspace evaluator takeover due to evaluator create and update mass-assignment.
- Vendor
- FlowiseAI
- Product
- Flowise
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of Flowise, especially those with multiple workspaces, should be aware of this vulnerability and take immediate action to protect their systems.
Technical summary
Flowise, a drag & drop user interface for building customized large language model flows, is vulnerable to cross-workspace evaluator takeover. This HIGH-severity issue (CVSS Score: 7.7) is caused by evaluator create and update mass-assignment and has been patched in version 3.1.2.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Flowise to version 3.1.2 or later.
- Review and restrict evaluator create and update permissions to prevent mass-assignment.
Evidence notes
This vulnerability was patched in version 3.1.2. See [ref-4](https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2) for release notes and [ref-5](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wxrr-jp8m-qq7f) for mitigation and vendor advisory.
Official resources
-
CVE-2026-46480 CVE record
CVE.org
-
CVE-2026-46480 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
CVE-2026-46480 was published on 2026-06-08T16:16:42.600Z and modified on 2026-06-09T14:57:08.360Z.