Cyber Resilience

CVE-2026-30822

HighPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3 7.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0046 64.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30822 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Flowiseai Flowise. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Data-Related Vulnerabilities risk domain.

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version…

more

3.0.13.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of public-facing web app via mass assignment (CWE-915) to modify internal DB fields.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

flowiseai
flowise
≤ 3.0.13

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References