Authorization Bypass Vulnerability in FlowiseAI Flowise User Controller
CVE-2026-8027

5.3MEDIUM

Key Information:

Vendor

Flowiseai

Status
Flowise
Vendor
CVE Published:
6 May 2026

What is CVE-2026-8027?

A vulnerability exists in the User Controller Handler of FlowiseAI Flowise versions up to 3.0.12, allowing unauthorized access through manipulated arguments such as userId, organizationId, workspaceId, or email. This flaw enables attackers to bypass authentication and gain inappropriate access to user data and functionalities. Exploitation can be performed remotely, emphasizing the importance of updating the affected software components promptly to mitigate security risks.

Affected Version(s)

Flowise 3.0.0

Flowise 3.0.1

Flowise 3.0.2

References

https://vuldb.com/vuln/361274
vdb-entrytechnical-description
https://vuldb.com/vuln/361274/cti
signaturepermissions-required
https://vuldb.com/submit/777657
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eric-a (VulDB User)
.