Detections
Analytics
SCA: security update for flowise (GHSA-6fw7-3q8r-m5vj)
high Tenable Cloud Security Plugin ID 441887
Description
There are packages installed that are affected by a vulnerability referenced in the following CVE:- Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version
3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint
allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and
updatedDate when updating a variable resource. Due to missing server-side validation and authorization
checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces.
This behavior may break tenant isolation in multi-workspace environments. This issue has been patched in
version 3.1.2. (CVE-2026-42861)
Solution
Update the flowise library and its related packages to version 3.1.2 or later.See Also
Plugin Details
Severity: High
ID: 441887
Version: Revision 1.8
Type: Local
Family: SCA Checks
Published: 5/14/2026
Updated: 6/15/2026
Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
VPR
Risk Factor: High
Score: 7.1
Vendor
Vendor Severity: High
CVSS v2
Risk Factor: High
Base Score: 8.5
Temporal Score: 6.7
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N
CVSS Score Source: CVE-2026-42861
CVSS v3
Risk Factor: Critical
Base Score: 9.6
Temporal Score: 8.6
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v4
Risk Factor: High
Base Score: 7.6
Threat Score: 6.7
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 5/14/2026
Vulnerability Publication Date: 5/14/2026
Reference Information
CVE: CVE-2026-42861