Flowise Improper Mass Assignment Vulnerability in Account Registration Endpoint Allows Unauthorized Organization Association

A vulnerability allowing improper mass assignment (JSON injection) has been identified in Flowise versions prior to 3.1.0. This issue exists in the account registration endpoint of Flowise Cloud, where the backend fails to properly validate client-supplied JSON. As a result, unauthenticated attackers can inject server-managed fields and nested objects during account creation. This exploitation enables manipulation of ownership metadata, timestamps, organization associations, and role mappings, thereby violating trust boundaries in a multi-tenant environment.

Impact

Exploitation of this vulnerability allows for unauthorized association of newly created user accounts with existing organizations, bypassing organizational ownership and trust boundaries. This could lead to cross-tenant access and privilege escalation. Additionally, injected ownership metadata and timestamps could disrupt audit integrity.

Reproduction

To reproduce this vulnerability, send a registration request to the Flowise Cloud account registration endpoint. Include standard user information such as name, email, and password. The server will respond with a 201 Created status, indicating a successful account creation. Next, send a modified registration request that injects additional server-managed fields and nested objects, such as organization details and metadata fields like createdBy and updatedBy. The server will again respond with 201 Created, but this time the injected fields will be persisted, reflecting client-controlled values.

Remediation

Users are advised to update Flowise to version 3.1.0 or later, where this vulnerability has been fixed.