A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.
PUBLISHED5.2ApplicationCWE-639CWE-285
FlowiseAI Flowise User Controller authorization
Problem type
Affected products
FlowiseAI
Flowise
3.0.0 - AFFECTED
3.0.1 - AFFECTED
3.0.2 - AFFECTED
3.0.3 - AFFECTED
3.0.4 - AFFECTED
3.0.5 - AFFECTED
3.0.6 - AFFECTED
3.0.7 - AFFECTED
3.0.8 - AFFECTED
3.0.9 - AFFECTED
3.0.10 - AFFECTED
3.0.11 - AFFECTED
3.0.12 - AFFECTED
References
VDB-361274 | FlowiseAI Flowise User Controller authorization
https://vuldb.com/vuln/361274
VDB-361274 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/361274/cti
Submit #777657 | FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)
https://vuldb.com/submit/777657
gist.github.com
https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b
GitHub Security Advisories
GHSA-3qmj-rc63-mhjw
A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability...
https://github.com/advisories/GHSA-3qmj-rc63-mhjwA weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-8027
gist.github.com
https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b
vuldb.com
https://vuldb.com/submit/777657
vuldb.com
https://vuldb.com/vuln/361274
vuldb.com
https://vuldb.com/vuln/361274/cti
github.com
https://github.com/advisories/GHSA-3qmj-rc63-mhjw
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-8027Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-8027",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-05-06T15:26:30.808Z",
"dateReserved": "2026-05-06T07:40:34.416Z",
"datePublished": "2026-05-06T13:45:10.213Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-05-06T13:45:10.213Z"
},
"title": "FlowiseAI Flowise User Controller authorization",
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded."
}
],
"affected": [
{
"vendor": "FlowiseAI",
"product": "Flowise",
"cpes": [
"cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*"
],
"modules": [
"User Controller Handler"
],
"versions": [
{
"version": "3.0.0",
"status": "affected"
},
{
"version": "3.0.1",
"status": "affected"
},
{
"version": "3.0.2",
"status": "affected"
},
{
"version": "3.0.3",
"status": "affected"
},
{
"version": "3.0.4",
"status": "affected"
},
{
"version": "3.0.5",
"status": "affected"
},
{
"version": "3.0.6",
"status": "affected"
},
{
"version": "3.0.7",
"status": "affected"
},
{
"version": "3.0.8",
"status": "affected"
},
{
"version": "3.0.9",
"status": "affected"
},
{
"version": "3.0.10",
"status": "affected"
},
{
"version": "3.0.11",
"status": "affected"
},
{
"version": "3.0.12",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Authorization Bypass",
"cweId": "CWE-639",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Improper Authorization",
"cweId": "CWE-285",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/vuln/361274",
"name": "VDB-361274 | FlowiseAI Flowise User Controller authorization",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/vuln/361274/cti",
"name": "VDB-361274 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/submit/777657",
"name": "Submit #777657 | FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b",
"tags": [
"related"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"baseScore": 4.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"baseScore": 4.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
"baseScore": 4
}
}
],
"timeline": [
{
"time": "2026-05-06T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-05-06T02:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-05-06T09:45:42.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "Eric-a (VulDB User)",
"type": "reporter"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-05-06T15:26:30.808Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://vuldb.com/submit/777657",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}