{"data":{"id":"7ec2757e-6f45-4338-ac7d-2cbaa5146eb5","title":"GHSA-x5v6-pj28-cwwm: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment","summary":"FlowiseAI has a mass assignment vulnerability (a security flaw where an attacker can modify fields they shouldn't be able to change) in its tool update endpoint that allows authenticated users to reassign tools to different workspaces by manipulating the workspaceId field in their requests. The server fails to validate which properties users can modify, allowing attackers to change server-controlled fields like workspaceId, createdDate, and updatedDate, which breaks tenant isolation (the security boundary that keeps different users' data separate) in multi-workspace environments.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-x5v6-pj28-cwwm","publishedAt":"2026-05-14T14:52:40.000Z","cveId":"CVE-2026-42862","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["flowise@<= 3.1.1 (fixed: 3.1.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["FlowiseAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T14:52:40.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}