CVE-2026-56276
CVE-2026-56276 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-915.
Key facts
- Severity: Medium (CVSS 4.0 base score 6.0)
- EPSS exploit prediction: 0% (16th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38119
- Weakness: CWE-915
- Published:
- Last modified:
Description
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
Frequently asked questions
- What is CVE-2026-56276?
- Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
- How severe is CVE-2026-56276?
- CVE-2026-56276 has a CVSS 4.0 base score of 6.0, rated medium severity.
- Is CVE-2026-56276 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (16th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-56276?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-56276 have an EU (EUVD) identifier?
- Yes. CVE-2026-56276 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38119.
- When was CVE-2026-56276 published?
- CVE-2026-56276 was published on 2026-06-20 and last updated on 2026-06-22.
References
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-59fh-9f3p-7m39
- https://www.vulncheck.com/advisories/flowise-mass-assignment-in-put-api-v1-user-allows-password-hash-override
Other CWE-915 vulnerabilities
- CVE-2026-50160 — Critical (CVSS 10.0): Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and…
- CVE-2026-33453 — Critical (CVSS 10.0): Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap…
- CVE-2025-58367 — Critical (CVSS 10.0): DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are…
- CVE-2026-56142 — Critical (CVSS 9.9): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2025-2304 — Critical (CVSS 9.4): A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the…
- CVE-2025-24370 — Critical (CVSS 9.3): Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn…