Skip to main content

Flowise CVE-2025-26319

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-03-04 cve@mitre.org
File Upload Flowise
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
PoC Detected
Jun 24, 2025 - 00:50 vuln.today
Public exploit code
CVE Published
Mar 04, 2025 - 22:15 nvd
CRITICAL 9.8

DescriptionNVD

FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.

AnalysisAI

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Unauthenticated attackers can upload malicious files including executable scripts, achieving remote code execution on the Flowise server.

Technical ContextAI

The /api/v1/attachments API endpoint allows file uploads without authentication or file type validation. An attacker can upload a .js, .py, or other executable file type. Depending on the server configuration and how uploaded files are served, this can lead to server-side code execution. Even without direct execution, uploaded files can overwrite application files or be used for phishing.

RemediationAI

Update Flowise to the latest version. Implement authentication on all API endpoints. Configure strict file type allowlisting on upload endpoints. Run Flowise in a sandboxed container with minimal privileges. Monitor the attachments directory for unexpected file types.

Share

CVE-2025-26319 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy