Cyber Resilience

CVE-2026-46479

HighUpdated

Published: 08 June 2026

Published
08 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-46479 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Flowiseai Flowise. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Mass assignment (CWE-915) enables cross-workspace takeover, directly facilitating privilege escalation via T1068.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

flowiseai
flowise
≤ 3.1.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References