Flowise Mass Assignment Vulnerability in Tool Update Endpoint Allows Cross-Workspace Resource Reassignment

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2. The issue resides in the tool update endpoint, where authenticated users can modify server-controlled properties such as workspaceId, createdDate, and updatedDate. The vulnerability arises from inadequate server-side validation and authorization checks, enabling attackers to manipulate the workspaceId and reassign tools to arbitrary workspaces, thereby disrupting tenant isolation in multi-workspace environments.

Impact

Exploitation of this vulnerability allows for cross-workspace reassignment of tools and unauthorized modification of metadata, such as creation and update dates. In multi-tenant deployments, this could enable an attacker to move tools between workspaces without proper authorization, violating tenant isolation.

Reproduction

To reproduce this vulnerability, authenticate to the Flowise interface and send a PUT request to the tool update endpoint, including a manipulated request body that injects additional fields such as workspaceId, createdDate, and updatedDate. The server will accept and persist these client-controlled values, confirming the vulnerability.

Remediation

Users can update to Flowise version 3.1.2 or later, where this vulnerability has been patched.