Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated remote request triggers the flaw (AV:N/AC:L/PR:N/UI:N); impact is full file/database disclosure (C:H) with no integrity or availability effect (I:N/A:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed without the orgId is evaluated after the storage-directory containment check, allowing path traversal beyond the intended storage directory. Unauthenticated attackers can read sensitive files such as /root/.flowise/database.sqlite, exposing all database content in the default configuration.
AnalysisAI
Unauthenticated arbitrary file read in Flowise before 3.0.6 lets remote attackers traverse outside the storage directory via the unvalidated chatId parameter on the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints, reading sensitive files such as /root/.flowise/database.sqlite and dumping the entire application database in default deployments. The flaw was reported by VulnCheck with a vendor security advisory (GHSA-99pg-hqvx-r4gf), and while no public exploit was identified at time of analysis, the root cause and code path are fully documented in the advisory, lowering the barrier to weaponization. CVSS 4.0 base score is 8.7 (High), reflecting network-reachable, no-authentication, no-interaction exploitation with high confidentiality impact.
Technical ContextAI
Flowise is an open-source low-code platform for building LLM/agentic applications, distributed as the npm package 'flowise'. The affected code lies in the streamStorageFile() helper used by file-download endpoints. Per the GHSA source evidence, streamStorageFile validates that chatflowId is a UUID and strips traversal sequences from fileName via sanitize(), but performs no validation on chatId. The intended file path is path.join(getStoragePath(), orgId, chatflowId, chatId, sanitizedFilename), and a containment check (filePath.startsWith(getStoragePath())) is applied. The defect is a fallback branch: when the primary file is absent, the code re-computes fallbackPath = path.join(getStoragePath(), chatflowId, chatId, sanitizedFilename) WITHOUT the orgId segment and evaluates it AFTER the containment check, so the unvalidated chatId can inject ../ sequences that escape the storage root. This maps to CWE-73 (External Control of File Name or Path): attacker-controlled input directly influences a filesystem path, here enabling path traversal to arbitrary local files. The single affected CPE is cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade to Flowise 3.0.6 or later, which is the vendor-released patched version per the GHSA advisory and npm package metadata (Vendor-released patch: 3.0.6). Apply this as the primary fix and follow the advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-99pg-hqvx-r4gf. If immediate upgrade is not possible, place Flowise behind a reverse proxy or WAF and block or tightly restrict access to the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints, or require authentication in front of them - the trade-off is that legitimate file-download/upload-retrieval and OpenAI assistant file features will break for users routed through the block. Additionally, run the Flowise process as a non-root, least-privilege user and relocate the storage directory away from sensitive paths so that even a successful traversal cannot reach /root/.flowise/database.sqlite or other secrets; note this reduces but does not eliminate disclosure of files the process can still read. Rotate any credentials or API keys stored in the database after patching, since unauthenticated exposure may already have occurred.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210336
GHSA-4pwq-xw7j-m297