GHSA-59FH-9F3P-7M39: Mass Assignment in Flowise Profile Update Endpoint
Vulnerability ID: GHSA-59FH-9F3P-7M39
CVSS Score: 5.3
Published: 2026-05-20
A mass assignment vulnerability in the Flowise profile update endpoint allows authenticated users to directly modify their database records. By injecting the credential field into a PUT request, an attacker can overwrite their password hash, bypassing standard security controls and enabling persistent account access.
TL;DR
Flowise versions prior to 3.1.2 fail to filter incoming data on the user profile update endpoint. Authenticated attackers can supply a credential parameter to overwrite their password hash directly, establishing persistence without knowing the current password.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-915
- Attack Vector: Network
- CVSS v4.0: 5.3
- Privileges Required: Low
- Exploit Status: Proof of Concept
- Authentication: Required
Affected Systems
- Flowise Platform
- Node.js API Services using TypeORM
-
Flowise: < 3.1.2 (Fixed in:
3.1.2)
Mitigation Strategies
- Upgrade Flowise to version 3.1.2 or newer
- Implement strict allowlisting on all API update endpoints
- Deploy WAF rules blocking the 'credential' key in PUT requests to /api/v1/user
Remediation Steps:
- Verify the current Flowise version in deployment environments
- Update the flowise npm package to >= 3.1.2
- Restart the application server to apply the updated code
- Review user account activity for unauthorized password modifications
References
Read the full report for GHSA-59FH-9F3P-7M39 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)