CVE-2026-46476: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
(updated )
Type: Mass assignment via Object.assign(entity, body) -> client-controlled workspaceId (and on create, id) overwritten on the CustomTemplate entity -> cross-workspace data takeover and IDOR.
File: packages/server/src/services/marketplaces/index.ts
Root cause: The CustomTemplate controller/service constructs a new CustomTemplate() and copies the request body into it via Object.assign(...) without an explicit field allowlist. The request body therefore can include workspaceId, id, createdDate, updatedDate. The server only rebinds some of these after the assign (e.g. on create, it overwrites workspaceId but not id; on update, it overwrites id but not workspaceId). The remaining client-controlled values land directly on the persisted row, breaking workspace isolation. Same root pattern as the customtemplate entity’s sibling controllers and as DocumentStore before it was patched in commit 840d2ae.
References
- github.com/FlowiseAI/Flowise/commit/f64047bdcf4cbd6a30ec348b9e3f2899ff514e89
- github.com/FlowiseAI/Flowise/pull/6129
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-728h-4mwj-f2p4
- github.com/advisories/GHSA-728h-4mwj-f2p4
- nvd.nist.gov/vuln/detail/CVE-2026-46476
Code Behaviors & Features
Detect and mitigate CVE-2026-46476 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →