CVE-2026-46475

Published: Jun 8, 2026Modified: Jun 12, 2026

7.7

Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.

Affected (1)

Products: Flowiseai: Flowise

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Flowiseai Flowise	Before 3.1.2

Related CWEs

Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

References (3)

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-78pr-c5x5-jggc

Source: security-advisories@github.com

MitigationVendor Advisory

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-78pr-c5x5-jggc

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

MitigationVendor Advisory

Timeline

No history available yet.