Skip to main content

Flowise CVE-2025-71324

| EUVDEUVD-2025-210336 HIGH
External Control of File Name or Path (CWE-73)
2026-06-25 VulnCheck GHSA-4pwq-xw7j-m297
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated remote request triggers the flaw (AV:N/AC:L/PR:N/UI:N); impact is full file/database disclosure (C:H) with no integrity or availability effect (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 23:04 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 22:32 vuln.today
Analysis Generated
Jun 25, 2026 - 22:32 vuln.today

DescriptionCVE.org

Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed without the orgId is evaluated after the storage-directory containment check, allowing path traversal beyond the intended storage directory. Unauthenticated attackers can read sensitive files such as /root/.flowise/database.sqlite, exposing all database content in the default configuration.

AnalysisAI

Unauthenticated arbitrary file read in Flowise before 3.0.6 lets remote attackers traverse outside the storage directory via the unvalidated chatId parameter on the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints, reading sensitive files such as /root/.flowise/database.sqlite and dumping the entire application database in default deployments. The flaw was reported by VulnCheck with a vendor security advisory (GHSA-99pg-hqvx-r4gf), and while no public exploit was identified at time of analysis, the root cause and code path are fully documented in the advisory, lowering the barrier to weaponization. CVSS 4.0 base score is 8.7 (High), reflecting network-reachable, no-authentication, no-interaction exploitation with high confidentiality impact.

Technical ContextAI

Flowise is an open-source low-code platform for building LLM/agentic applications, distributed as the npm package 'flowise'. The affected code lies in the streamStorageFile() helper used by file-download endpoints. Per the GHSA source evidence, streamStorageFile validates that chatflowId is a UUID and strips traversal sequences from fileName via sanitize(), but performs no validation on chatId. The intended file path is path.join(getStoragePath(), orgId, chatflowId, chatId, sanitizedFilename), and a containment check (filePath.startsWith(getStoragePath())) is applied. The defect is a fallback branch: when the primary file is absent, the code re-computes fallbackPath = path.join(getStoragePath(), chatflowId, chatId, sanitizedFilename) WITHOUT the orgId segment and evaluates it AFTER the containment check, so the unvalidated chatId can inject ../ sequences that escape the storage root. This maps to CWE-73 (External Control of File Name or Path): attacker-controlled input directly influences a filesystem path, here enabling path traversal to arbitrary local files. The single affected CPE is cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to Flowise 3.0.6 or later, which is the vendor-released patched version per the GHSA advisory and npm package metadata (Vendor-released patch: 3.0.6). Apply this as the primary fix and follow the advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-99pg-hqvx-r4gf. If immediate upgrade is not possible, place Flowise behind a reverse proxy or WAF and block or tightly restrict access to the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints, or require authentication in front of them - the trade-off is that legitimate file-download/upload-retrieval and OpenAI assistant file features will break for users routed through the block. Additionally, run the Flowise process as a non-root, least-privilege user and relocate the storage directory away from sensitive paths so that even a successful traversal cannot reach /root/.flowise/database.sqlite or other secrets; note this reduces but does not eliminate disclosure of files the process can still read. Rotate any credentials or API keys stored in the database after patching, since unauthenticated exposure may already have occurred.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2025-71324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy