CVE-2026-41267: Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

April 16, 2026 (updated April 24, 2026)

An improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj
github.com/advisories/GHSA-48m6-ch88-55mj
nvd.nist.gov/vuln/detail/CVE-2026-41267

Code Behaviors & Features

Detect and mitigate CVE-2026-41267 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →