GHSA-48m6-ch88-55mj: Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
highvulnerability
security
Source: GitHub Advisory DatabaseApril 16, 2026
Summary
Flowise Cloud has a mass assignment vulnerability (JSON injection, where attackers can hide malicious data in JSON input) in its account registration endpoint that allows unauthenticated attackers to inject server-managed fields like organization IDs and role assignments during account creation. This breaks trust boundaries in the multi-tenant environment (a system serving multiple separate organizations) by letting attackers associate their new accounts with existing organizations they don't own, gaining unauthorized access and escalated privileges.
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
LangChain
Affected Packages
flowise@<= 3.0.13 (fixed: 3.1.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-48m6-ch88-55mj
First tracked: April 17, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 85%