Main Vulnerability Database Vulnerabilities #VU129623

Arbitrary file upload in Flowise - #VU129623

Published: March 13, 2025 / Updated: May 4, 2026

Vulnerability identifier: #VU129623

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote attacker to upload arbitrary files.

The vulnerability exists due to unrestricted file upload in the /api/v1/attachments endpoint when handling unauthenticated file upload requests with attacker-controlled path parameters. A remote attacker can send a specially crafted request to upload arbitrary files.

The issue is exposed only when the storageType setting is configured as local, which is the default configuration.

Remediation

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g

Arbitrary file upload in Flowise - #VU129623

Detailed vulnerability description

Remediation

Sources

Please verify you're human