Mass Assignment Vulnerability in Flowise DocumentStore by FlowiseAI
CVE-2026-41277

7.6HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41277?

The Flowise application, a user-friendly interface for creating customized large language model flows, is affected by a Mass Assignment vulnerability in the DocumentStore creation endpoint. This flaw permits authenticated users to manipulate the primary key and internal state fields of DocumentStore entities. By leveraging this vulnerability, an attacker could overwrite existing DocumentStore objects, potentially leading to unauthorized reassignment or modification of objects across different workspaces in multi-tenant environments. The issue arises from the use of a client-supplied primary key in the repository.save() method, which functions as an implicit UPSERT operation. This vulnerability emphasizes the need for robust object-level authorization mechanisms to prevent such exploits. A fix has been implemented in version 3.1.0.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41277 Data

JSON

Flowiseai

What is CVE-2026-41277?

Affected Version(s)

References

CVSS V4

Timeline