Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Valid API token required (PR:L); arbitrary filesystem write crosses component boundary (S:C) with high host integrity impact; no confidentiality or availability impact described.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store implementations that accept unsanitized basePath parameters from authenticated users. Attackers with valid API tokens can write vector store data to arbitrary filesystem locations, potentially enabling code execution or data exfiltration.
AnalysisAI
Path traversal in Flowise's Faiss and SimpleStore vector store implementations allows any holder of a valid API token to write vector store data to arbitrary filesystem locations, creating a practical path to remote code execution or data exfiltration on the hosting server. All Flowise deployments prior to version 3.1.0 are affected when either of these two vector store backends is configured. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Flowise API token - the CVSS 4.0 PR:L metric confirms that low-privilege authentication is a hard prerequisite, making unauthenticated exploitation impossible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 4.9 reflects moderate severity, but the real-world risk profile is materially higher in certain deployment contexts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid Flowise API token submits a crafted request to the Faiss or SimpleStore vector store API endpoint, supplying a basePath value containing directory traversal sequences such as '../../var/spool/cron/' or a path within a web-accessible directory. Flowise writes attacker-controlled vector store index data to the specified arbitrary path without restriction. … |
| Remediation | The primary fix is upgrading Flowise to version 3.1.0 or later, which remediates path traversal by sanitizing the basePath parameter within both the Faiss and SimpleStore vector store implementations. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42251
GHSA-g8g5-48h4-5r8h