Flowise Mass Assignment Vulnerability in Evaluations Endpoint Allows Cross-Workspace Data Takeover

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the evaluations management feature. This issue allows an authenticated user to manipulate evaluation data across different workspaces, potentially leading to unauthorized access and modification of evaluation records. The vulnerability arises because the evaluation controller does not properly validate which fields can be updated, allowing client-controlled data to overwrite critical workspace-specific information. As a result, evaluations can be transferred between workspaces, disrupting data integrity and privacy.

Impact

Exploitation of this vulnerability could result in cross-workspace data takeover, allowing an attacker to access, modify, and use evaluation data from another workspace. This includes any captured prompts, model outputs, and scoring data associated with the evaluations.

Reproduction

To reproduce this vulnerability, an authenticated user must first create or identify an evaluation in their workspace. They can then send a request to update the evaluation, including a workspace ID from a different workspace. The request will be processed as if it originated from the user's current workspace, but will instead transfer the evaluation to the other workspace, effectively taking over the evaluation data.

Remediation

Users can update to Flowise version 3.1.2 or later, where this vulnerability has been patched.