Mass Assignment Vulnerability in Flowise API Affects User Credential Management
CVE-2026-56276

6MEDIUM

Key Information:

Vendor: Flowise
Status: Flowise
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56276?

Flowise prior to version 3.1.2 contains a mass assignment vulnerability within the /api/v1/user endpoint, enabling authenticated users to alter the credential field without any validation. This flaw permits attackers to bypass password change verification and session invalidation. By providing a manipulated password hash, they can establish persistent access to accounts even after a temporary session compromise, highlighting significant risks to user account security and the integrity of the Flowise platform.

Affected Version(s)

Flowise 0 < 3.1.2

Flowise 3.1.2

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/flowise-mass-assignm...

third-party-advisory

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

berkdedekarginoglu

CVE-2026-56276 Data

JSON