CVE-2026-30822

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30822
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13.

7.7 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Exploitability : 2.2 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 Product Release Notes
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq4r-h2gh-qv7x Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
History

11 Mar 2026, 13:40

Type Values Removed Values Added
References () https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 - () https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13 - Product, Release Notes
References () https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq4r-h2gh-qv7x - () https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq4r-h2gh-qv7x - Exploit, Mitigation, Vendor Advisory
Summary
  • (es) Flowise es una interfaz de usuario de arrastrar y soltar para construir un flujo de modelo de lenguaje grande personalizado. Antes de la versión 3.0.13, los usuarios no autenticados pueden inyectar valores arbitrarios en campos internos de la base de datos al crear clientes potenciales. Este problema ha sido parcheado en la versión 3.0.13.
First Time Flowiseai
Flowiseai flowise
CPE cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*

07 Mar 2026, 05:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-07 05:16

Updated : 2026-03-11 13:40

NVD link : CVE-2026-30822

Mitre link : CVE-2026-30822

CVE.ORG link : CVE-2026-30822

JSON object : View

Products Affected

flowiseai

  • flowise
CWE
CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes