Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override | Advisories

Advisories

Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override

severity: medium
date: 6/20/2026
Affecting: Flowise >= 0, < 3.1.2
CVE: CVE-2026-56276
CWE: CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVSS: 6.0
CVSS V4 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-59fh-9f3p-7m39
Credit: berkdedekarginoglu
Description: Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo