CVE-2026-46478

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2

Description A mass assignment issue exists in the DatasetRow create and update processes. The application uses Object.assign() to copy the request body into the DatasetRow entity without an explicit field allowlist, allowing a client to overwrite sensitive fields such as workspaceId and id. This can lead to cross-workspace row takeover and Insecure Direct Object Reference (IDOR), where an authenticated user can move a dataset row to another workspace by specifying a different workspaceId in the request body. This exposes the row content to the destination workspace and removes access for the original workspace. The issue is located in the packages/server/src/services/dataset/index.ts file and affects the PUT /api/v1/datasetrows/<id> endpoint.

Recommendations Update to version 3.1.2. As a temporary workaround, restrict access to the PUT /api/v1/datasetrows/<id> endpoint to minimize the risk of exploitation.