Post by Berk Dedekargınoğlu

Offensive Security Engineer | Vulnerability Researcher | 14+ CVEs | Building MentionCheck

I recently reported two security vulnerabilities in Flowise (now part of Workday), both of which have been assigned CVEs. • CVE-2026-41277 – Mass Assignment leading to implicit UPSERT → potential cross-workspace object takeover (BOLA/IDOR) • CVE-2026-41267 – Registration endpoint JSON injection → unauthorized organization association & privilege escalation Both issues highlight a common pattern: lack of strict input validation and trust boundary enforcement in multi-tenant architectures. Details and technical breakdowns are in the advisories: https://lnkd.in/dYGe7qEm https://lnkd.in/d79WbyFf Relevant for anyone building or auditing SaaS systems with ORM layers. #infosec #appsec #cve #multitenancy #flowiseai