CVE-2026-56276
Received Received - Intake
Flowise Credential Manipulation via Mass Assignment

Publication date: 2026-06-20

Last updated on: 2026-06-20

Assigner: VulnCheck

Description
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-20
Last Modified
2026-06-20
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-56276
EUVD
EUVD-2026-38119
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56276 is a mass assignment vulnerability in Flowise versions before 3.1.2, specifically in the PUT /api/v1/user endpoint.

This vulnerability allows authenticated users to directly modify restricted fields such as the password hash (credential) without proper validation.

Attackers can exploit this flaw by supplying a crafted password hash, bypassing the normal password change verification process and session invalidation.

As a result, an attacker who gains temporary access to an account (for example, through token theft or cross-site scripting) can establish persistent control over that account.

Impact Analysis

This vulnerability can lead to persistent unauthorized access to user accounts even after a temporary session compromise.

Attackers can bypass password change verification and session invalidation, meaning they can set a new password hash without providing the current password or following password policies.

This undermines account security by allowing attackers to maintain long-term access, potentially leading to data breaches or unauthorized actions within the affected system.

Detection Guidance

This vulnerability involves the PUT /api/v1/user endpoint allowing authenticated users to modify the credential field without validation. Detection would involve monitoring or inspecting requests to this endpoint for unusual or unauthorized modifications to the password hash field.

Suggested detection methods include logging and analyzing API requests to the PUT /api/v1/user endpoint to identify if the credential (password hash) field is being modified directly without proper password change verification.

Specific commands are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Flowise to version 3.1.2 or later, where this mass assignment vulnerability has been fixed.

Until the upgrade is applied, restrict access to the PUT /api/v1/user endpoint to trusted authenticated users only, and monitor for suspicious activity involving password hash modifications.

Additionally, consider implementing additional validation or filtering on the server side to prevent direct modification of sensitive fields like the credential.

Compliance Impact

The vulnerability allows attackers to bypass password change verification and session invalidation, enabling persistent unauthorized access to user accounts after temporary session compromise.

Such unauthorized persistent access could lead to unauthorized disclosure or modification of personal or sensitive data, which may impact compliance with standards like GDPR or HIPAA that require strict access controls and protection of user data.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart