Flowise Mass Assignment Vulnerability in Variable Update Endpoint Allows Cross-Workspace Resource Reassignment

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2. The issue resides in the variable update endpoint, which allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate. The vulnerability arises from inadequate server-side validation and authorization checks, enabling attackers to manipulate the workspaceId and reassign variables to arbitrary workspaces. This could disrupt tenant isolation in multi-workspace environments.

Impact

Exploitation of this vulnerability could lead to unauthorized cross-workspace reassignment of variables, manipulation of metadata such as creation and update dates, and a potential bypass of tenant isolation in multi-workspace deployments.

Reproduction

To reproduce this vulnerability, send a PUT request to the variable update endpoint with a JSON payload that includes the workspaceId, createdDate, and updatedDate fields. The server will accept and persist these attacker-controlled values, demonstrating the lack of proper validation and authorization.

Remediation

Users can update to Flowise version 3.1.2 or later, where this vulnerability has been patched.