CVE-2026-41267

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0

Description An improper mass assignment (JSON injection) issue exists in the account registration endpoint of Flowise Cloud. This allows unauthenticated attackers to inject server-managed fields and nested objects during account creation, enabling client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, which breaks trust boundaries in a multi-tenant environment.

Recommendations Update to version 3.1.0.