GHSA-x5v6-pj28-cwwm
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
Details
### Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI.
The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource.
Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments.
### Details The endpoint responsible for updating tools:
**PUT /api/v1/tools/{toolId}**
accepts a JSON request body containing tool metadata.
However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.
Server-controlled fields that can be manipulated include:
1. workspaceId 2. createdDate 3. updatedDate
The request body is directly merged into the underlying database entity without proper DTO validation or authorization checks.
### PoC Authenticate to the Flowise interface.
Capture the request used to update a tool:
```http PUT /api/v1/tools/<TOOL_ID> Content-Type: application/json
Modify the request body by injecting additional fields:
{ "name": "aaa", "description": "bbb", "color": "linear-gradient(rgb(109,215,45), rgb(136,170,134))", "schema": "[]", "func": "", "iconSrc": "test", "workspaceId": "11111111-2222-3333-4444-555555555555", "createdDate": "1995-03-06T14:17:50.000Z", "updatedDate": "1995-03-06T14:17:50.000Z" }
``` Send the request.
Observe that the response includes the manipulated fields:
```json { "workspaceId": "11111111-2222-3333-4444-555555555555", "createdDate": "1995-03-06T14:17:50.000Z" } ```
This confirms that client-controlled values are accepted and persisted by the server.
### Impact This vulnerability allows authenticated users to manipulate internal attributes of tool resources.
Confirmed impacts include:
- Cross-workspace reassignment of tools (workspaceId) - Unauthorized modification of metadata (createdDate, updatedDate)
In multi-tenant deployments, this may allow an attacker to move tools between workspaces without authorization, breaking tenant isolation boundaries.
Are you affected?
Enter the version of the package you're using.