NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-56276

Summary	Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
Publication Date	June 21, 2026, 1:17 a.m.
Registration Date	June 27, 2026, 4:07 a.m.
Last Update	June 23, 2026, 3:36 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-59fh-9f3p-7m39	disclosure@vulncheck.com
2	https://www.vulncheck.com/advisories/flowise-mass-assignment-in-put-api-v1-user-allows-password-hash-override	disclosure@vulncheck.com
3	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-59fh-9f3p-7m39	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-915	動的に決定されたオブジェクト属性の不適切に制御された変更	https://cwe.mitre.org/data/definitions/915.html