CVE-2026-30822

Flowise: Mass Assignment in `/api/v1/leads` Endpoint

CVSS 7.7 HIGHEPSS 12.9%CWE-915

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Affected products

FlowiseAI · Flowise

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq4r-h2gh-qv7x