CVE-2026-8027 | THREATINT

Description

A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.

PUBLISHED Reserved 2026-05-06 | Published 2026-05-06 | Updated 2026-05-06 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C

MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C

4.0AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C

Problem types

Authorization Bypass

Improper Authorization

Product status

3.0.0

affected

3.0.1

affected

3.0.2

affected

3.0.3

affected

3.0.4

affected

3.0.5

affected

3.0.6

affected

3.0.7

affected

3.0.8

affected

3.0.9

affected

3.0.10

affected

3.0.11

affected

3.0.12

affected

Timeline

2026-05-06:	Advisory disclosed
2026-05-06:	VulDB entry created
2026-05-06:	VulDB entry last update

Credits

Eric-a (VulDB User) reporter

References

vuldb.com/submit/777657 exploit

vuldb.com/vuln/361274 (VDB-361274 | FlowiseAI Flowise User Controller authorization) vdb-entry technical-description

vuldb.com/vuln/361274/cti (VDB-361274 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/submit/777657 (Submit #777657 | FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)) third-party-advisory

gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b related

cve.org (CVE-2026-8027)

nvd.nist.gov (CVE-2026-8027)

Download JSON