Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30822 is a high-severity Mass Assignment vulnerability in the Flowise application's /api/v1/leads endpoint affecting versions up to 3.0.12. It allows unauthenticated users to inject arbitrary values into internal database fields such as id, createdDate, and chatId when creating lead records."}, {'type': 'paragraph', 'content': 'The root cause is that the endpoint uses Object.assign to copy all properties from the incoming request body directly onto a new Lead entity instance without validating or filtering input fields. This overwrites auto-generated fields that should be controlled by the server, like the UUID primary key (id) and timestamp (createdDate).'}, {'type': 'paragraph', 'content': 'Because the endpoint is publicly accessible without authentication, attackers can send crafted POST requests to inject or manipulate these sensitive fields, leading to data integrity issues and potential business logic bypass.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can severely impact the integrity and security of your data and application.

• Attackers can inject arbitrary UUIDs, causing ID collisions or overwriting existing lead records.
• Manipulation of the createdDate field allows falsification of audit trails and reporting, undermining trustworthiness of data.
• Arbitrary assignment of chatId values can link leads to unauthorized chatflows, potentially bypassing business logic.
• Overall, it enables audit trail manipulation, data corruption, and could facilitate chained attacks due to inconsistent lead data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted POST requests to the publicly accessible `/api/v1/leads` endpoint with JSON bodies that include the sensitive fields `id`, `createdDate`, and `chatId`. If the server accepts these values and responds with HTTP 200, it indicates the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A suggested command to test this is using curl to send a POST request with attacker-controlled values for these fields.'}, {'type': 'list_item', 'content': 'curl -X POST http://<target-host>/api/v1/leads -H \'Content-Type: application/json\' -d \'{"id":"attacker-controlled-uuid","createdDate":"2026-01-01T00:00:00Z","chatId":"malicious-chat-id","name":"test","email":"[email protected]"}\''}, {'type': 'paragraph', 'content': 'If the response is HTTP 200 and the injected values appear in the database or lead records, the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include patching the Flowise application to version 3.0.13 or later, where this vulnerability has been fixed.

If patching is not immediately possible, implement input validation and whitelist allowed fields when processing incoming lead creation requests.

• Explicitly copy only safe fields such as `chatflowid`, `name`, `email`, and `phone` from the request body, excluding sensitive fields like `id` and `createdDate`.
• Use destructuring to extract only allowed fields from the request body before creating lead entities.
• Add decorators like `@Exclude()` from `class-transformer` to the Lead entity to prevent assignment of sensitive fields from incoming requests.

Additionally, review other endpoints for similar mass assignment issues and apply similar fixes.

Useful 0 Not Useful 0