Improper Mass Assignment Vulnerability in Flowise Cloud by Flowise
CVE-2026-41267

8.1HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41267?

Flowise Cloud, a user-friendly interface for building customized large language models, is susceptible to an improper mass assignment vulnerability in its account registration endpoint. This issue allows unauthenticated users to manipulate server-controlled fields and nested objects when creating accounts. Consequently, this exploitation can result in unauthorized modifications to ownership metadata, timestamps, organization associations, and role mappings, thereby compromising the security and integrity of user data in a multi-tenant architecture. The vulnerability was addressed in version 3.1.0.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41267 Data

JSON

Flowiseai

What is CVE-2026-41267?

Affected Version(s)

References

CVSS V3.1

Timeline