{"data":{"id":"1428e37e-595b-4b01-bbc2-1a3c38933eb8","title":"GHSA-5wxp-qjgq-fx6m: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment","summary":"FlowiseAI has a mass assignment vulnerability (a flaw where an attacker can modify server-controlled fields by including them in their input) in its chatflow update endpoint that allows authenticated users to change protected properties like workspaceId, deployed status, and visibility settings. An attacker can reassign chatflows to other workspaces and modify deployment or visibility settings without authorization because the server doesn't validate which fields should be editable.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-5wxp-qjgq-fx6m","publishedAt":"2026-05-14T14:54:28.000Z","cveId":"CVE-2026-42863","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["flowise@<= 3.1.1 (fixed: 3.1.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["FlowiseAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T14:54:28.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}