GHSA-48m6-ch88-55mj: Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

April 16, 2026

An improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj
github.com/advisories/GHSA-48m6-ch88-55mj

Code Behaviors & Features

Detect and mitigate GHSA-48m6-ch88-55mj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →