Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote API call over the network with low complexity; PR:L because any authenticated user can call import endpoints; high C and I from arbitrary SQL, no availability impact noted.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.
AnalysisAI
SQL injection in Flowise through 2.2.7 allows authenticated users to execute arbitrary SQL via the importChatflows API by supplying a crafted JSON file whose chatflow.id value is concatenated unsanitized into an IN clause. Successful exploitation enables blind and error-based extraction of stored credentials and tampering with application data. Publicly available exploit code exists in the GHSA advisory, though no active exploitation is confirmed.
Technical ContextAI
Flowise is an open-source low-code platform for building LLM orchestration flows, backed by a TypeORM-managed relational database. The vulnerable function importChatflows in packages/server/src/services/chatflows/index.ts builds a raw IN-clause string by interpolating each newChatflow.id directly into the query via createQueryBuilder().where(cf.id IN ${ids}), bypassing parameter binding. This is a textbook CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) flaw - a payload like ') {malicious SQL} -- breaks out of the quoted IN list and appends attacker-controlled SQL. The advisory notes that importTools and importVariables share the same unsafe import pattern, suggesting a class of bugs rather than a single defect.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - track FlowiseAI/Flowise pull request https://github.com/FlowiseAI/Flowise/pull/4226 and upgrade to the first Flowise release that incorporates it once published, monitoring the GHSA advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9c4c-g95m-c8cp. Until a tagged release ships, operators should restrict access to the importChatflows, importTools, and importVariables endpoints via a reverse proxy or auth middleware so only trusted administrators can call them (side effect: legitimate users lose self-service import); audit existing user accounts and rotate any secrets stored in the credential table since blind extraction is feasible (side effect: temporary service disruption for downstream integrations); and consider running Flowise behind a WAF rule that blocks single-quote and SQL keywords in JSON id fields posted to the import routes (side effect: may false-positive on legitimate identifiers containing those characters).
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210326