GHSA-7j65-65cr-6644: FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
Summary
FlowiseAI has a mass assignment vulnerability (a code pattern where user input is directly copied into a database object without filtering) in its DatasetRow feature that allows authenticated attackers to change which workspace owns a data row by including a `workspaceId` field in their request, giving them access to other teams' data. This breaks workspace isolation (the security boundary that keeps different teams' data separate) and lets attackers move training records between workspaces they shouldn't have access to.
Solution / Mitigation
The source text states the vulnerability is "Already fixed in PR https://github.com/FlowiseAI/Flowise/pull/6051 (allowlist pattern applied)." The fix implements an allowlist pattern that explicitly specifies which fields from the user's request are permitted to be copied into the DatasetRow object, preventing malicious fields like `workspaceId` from being accepted.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-7j65-65cr-6644
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%