{"data":{"id":"f2321133-2c3c-43af-bd42-f189f087642d","title":"GHSA-hp26-q66v-q2w7: FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment","summary":"FlowiseAI has a mass assignment vulnerability (a flaw where a server accepts fields it shouldn't let users modify) in its assistant update endpoint that lets authenticated users change server-controlled properties like workspaceId, createdDate, and updatedDate. Because the server lacks proper validation and authorization checks, an attacker can reassign assistants to different workspaces, potentially breaking the isolation between separate workspaces in multi-tenant environments (systems serving multiple independent organizations).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-hp26-q66v-q2w7","publishedAt":"2026-05-14T14:57:46.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["flowise@<= 3.1.1 (fixed: 3.1.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["FlowiseAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-05-14T14:57:46.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}