GHSA-x5v6-pj28-cwwm: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
Summary
FlowiseAI has a mass assignment vulnerability (a security flaw where an attacker can modify fields they shouldn't be able to change) in its tool update endpoint that allows authenticated users to reassign tools to different workspaces by manipulating the workspaceId field in their requests. The server fails to validate which properties users can modify, allowing attackers to change server-controlled fields like workspaceId, createdDate, and updatedDate, which breaks tenant isolation (the security boundary that keeps different users' data separate) in multi-workspace environments.
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-x5v6-pj28-cwwm
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%