CVE-2026-46479

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2

Description A mass assignment issue exists in the evaluation create and update processes. The server uses Object.assign() to copy the request body into the Evaluation entity without an explicit field allowlist, allowing a client to overwrite sensitive fields such as workspaceId, id, createdDate, and updatedDate. An authenticated user can exploit this by sending a request to the PUT /api/v1/evaluations/<id> endpoint with a modified workspaceId variable, effectively moving an evaluation to a different workspace. This results in a cross-workspace boundary violation and Insecure Direct Object Reference (IDOR), where data can be exposed to members of another workspace.

Recommendations Update to version 3.1.2. As a temporary workaround, restrict access to the PUT /api/v1/evaluations/<id> endpoint to minimize the risk of unauthorized workspace transfers.