CVE-2026-8027

Summary

A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.

Affected Software

VendorProductVersion RangeStatus
FlowiseAIFlowise3.0.0affected
FlowiseAIFlowise3.0.1affected
FlowiseAIFlowise3.0.2affected
FlowiseAIFlowise3.0.3affected
FlowiseAIFlowise3.0.4affected
FlowiseAIFlowise3.0.5affected
FlowiseAIFlowise3.0.6affected
FlowiseAIFlowise3.0.7affected
FlowiseAIFlowise3.0.8affected
FlowiseAIFlowise3.0.9affected
FlowiseAIFlowise3.0.10affected
FlowiseAIFlowise3.0.11affected
FlowiseAIFlowise3.0.12affected

Weaknesses

  • CWE-639: Authorization Bypass
  • CWE-285: Improper Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References