Home / Vulnerability Intelligence / CVE-2026-8027

CVE-2026-8027 - Vulnerability Analysis

MediumCVSS: 4.3

Last Updated: May 7, 2026

FlowiseAI Flowise - Authorization Bypass

Published: May 6, 2026Updated: May 7, 2026PoC AvailableRemote Exploitable

Overview

FlowiseAI Flowise <= 3.0.12 contains an authorization bypass caused by manipulation of userId, organizationId, workspaceId, or email arguments in User Controller Handler, letting remote attackers bypass authorization, exploit requires crafted request.

Severity & Score

Severity: Medium

CVSS Score: 4.3

Impact

Remote attackers can bypass authorization, potentially gaining unauthorized access to restricted resources.

Mitigation

Upgrade to the latest version.

References

https://vuldb.com/vuln/361274
https://vuldb.com/vuln/361274/cti
https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b
https://vuldb.com/submit/777657

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-8027
Severity: Medium
CVSS Score: 4.3
Type: broken_access_control
Status: confirmed

CWE

CWE-285

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N