CVE-2026-30822 HIGH

CVE-2026-30822: Flowise: Mass Assignment in `/api/v1/leads` Endpoint

Vendor Flowiseai
Product Flowise
Weakness CWE-915
Published March 7, 2026
Last update March 9, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
March 9, 2026 Record updated