Arbitrary file upload in Flowise - CVE-2025-26319

 

Arbitrary file upload in Flowise - CVE-2025-26319

Published: April 9, 2026


Vulnerability identifier: #VU125541
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-26319
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote user to upload arbitrary files and potentially execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in the attachments upload endpoint when handling file upload requests. A remote user can upload a specially crafted file to upload arbitrary files and potentially execute arbitrary code.

The uploaded file is stored persistently on the server, and code execution requires the uploaded shell to be triggered through administrator error or by chaining with another vulnerability.


How to mitigate CVE-2025-26319

Install security update from vendor's website.

Sources