CVE-2026-56276 | Flowise before 3.1.2 contains a mass assignment vulnerabilit… | CVSS 6.0 MEDIUM

Description

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.

Metadata

CVE ID: CVE-2026-56276
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 01:47 UTC
Published: 2026-06-20 15:24 UTC
Last updated: 2026-06-20 15:24 UTC
Primary CWE: CWE-915
Improperly Controlled Modification of Dynamically-Determined…
Vendor / Product: Flowise / Flowise
Sources: cve.org · NVD

Severity & Metrics

6.0 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
Flowise	Flowise	—	0 < 3.1.2, 3.1.2

Weakness (CWE)

CWE	Source	Description
CWE-915	cna	Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.0	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References (2)

GHSA Advisory GHSA-59fh-9f3p-7m39 https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-59fh-9f3p-7m39
VulnCheck Advisory: Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override https://www.vulncheck.com/advisories/flowise-mass-assignment-in-put-api-v1-user-allows-password-hash-override