GHSA-mq4r-h2gh-qv7x: Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
Summary
A mass assignment vulnerability (a type of attack where an attacker controls internal fields by sending them in a request) exists in Flowise's `/api/v1/leads` endpoint, allowing unauthenticated users to override auto-generated fields like `id`, `createdDate`, and `chatId` by including them in the request body. The vulnerability occurs because the code uses `Object.assign()` to copy all properties from user input directly into the database entity without filtering, bypassing the intended auto-generation of these fields.
Vulnerability Details
EPSS: 0.0%
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-mq4r-h2gh-qv7x
First tracked: March 6, 2026 at 07:00 PM
Classified by LLM (prompt v3) · confidence: 92%