{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41267", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T14:01:46.801Z", "datePublished": "2026-04-23T19:12:26.765Z", "dateUpdated": "2026-04-23T19:44:53.201Z"}, "containers": {"cna": {"title": "Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj"}], "affected": [{"vendor": "FlowiseAI", "product": "Flowise", "versions": [{"version": "< 3.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T19:12:26.765Z"}, "descriptions": [{"lang": "en", "value": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0."}], "source": {"advisory": "GHSA-48m6-ch88-55mj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T19:44:40.847141Z", "id": "CVE-2026-41267", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T19:44:53.201Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB30DB8F-4F72-4FD3-90FB-8331F1CBB78E", "versionEndExcluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0."}], "id": "CVE-2026-41267", "lastModified": "2026-04-24T15:14:48.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-23T20:16:15.160", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Flowise", "source": "cna", "vendor": "FlowiseAI"}, "product": "flowise", "vendor": "flowiseai"}], "analysis": {"en": {"generated_at": "2026-04-28T14:45:47.331971+00:00", "value": {"mitigation_remediation": ["Upgrade Flowise to version 3.1.0 or newer to apply the vendor\u2011provided fix that protects against mass assignment in account registration.", "If an upgrade cannot be performed immediately, enforce strict server\u2011side validation that rejects client\u2011supplied organization association fields, timestamps, and nested objects during account creation to eliminate the injection vector.", "Continuously monitor account creation logs for abnormal organization association attempts and ensure automated alerts for suspicious patterns."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Organization Association"}, "threat_synthesis": {"affected_systems": "All versions of Flowise prior to 3.1.0 released by FlowiseAI are affected. The flaw is present in the account registration feature used to create new user accounts for the Flowise Cloud service.", "description_and_impact": "An improper mass assignment vulnerability in the Flowise Cloud account registration endpoint lets unauthenticated attackers inject server\u2010managed fields and nested objects during account creation. By supplying crafted JSON, the attacker can manipulate ownership metadata, timestamps, organization association, and role mappings, thereby breaking trust boundaries in a multi\u2011tenant environment and enabling unauthorized access to other organizations' resources.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this flaw as high severity, while the EPSS score of less than 1\u202f% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending a malicious payload to the registration endpoint without authentication, establishing an account that is improperly linked to an organization or granted elevated role mappings."}}}}, "created": "2026-04-27T19:53:02.995523+00:00", "updated": "2026-04-28T15:00:14.477085+00:00", "vendors": ["flowiseai", "flowiseai$PRODUCT$flowise"]}