Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerabil…

CVE-2026-41267 affects Flowise, a drag-and-drop interface for building large language model flows. Prior to version 3.1.0, an improper mass assignment (JSON injection) vulnerability exists in the account registration endpoint of Flowise Cloud. This allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. Attackers can manipulate ownership metadata, timestamps, organization associations, and role mappings. The vulnerability breaks trust boundaries in multi-tenant environments. The issue has been fixed in version 3.1.0.