CVE-2026-30822

Flowise and Affected Versions Flowise versions prior to 3.0.13

Description Flowise is a drag & drop user interface to build a customized large language model flow. A mass assignment issue exists in the /api/v1/leads endpoint, allowing unauthenticated users to control internal entity fields (id, createdDate, chatId) by including them in the request body. The endpoint uses Object.assign() to copy all properties from the request body to the Lead entity without input validation or field filtering. This allows attackers to bypass auto-generated fields and inject arbitrary values. The vulnerability exists in /packages/server/src/services/leads/index.ts at lines 27-28. The Lead entity definition at /packages/server/src/database/entities/Lead.ts uses TypeORM decorators that should auto-generate these fields, but Object.assign() overwrites these fields before they are saved. The /api/v1/leads endpoint is publicly accessible due to its inclusion in a whitelist in /packages/server/src/utils/constants.ts. Attack scenarios include ID collision attacks, audit trail manipulation, data integrity violations, and chatflow association manipulation.

Recommendations Versions prior to 3.0.13: Implement a fix to whitelist allowed fields during object assignment, only copying explicitly permitted fields from the request body. Alternatively, use destructuring with explicit fields or utilize class-transformer with @Exclude() decorators to prevent assignment of sensitive fields from the request. Consider applying the same fix to other endpoints that use Object.assign() with request bodies, such as /packages/server/src/utils/addChatMessageFeedback.ts.