CVE-2025-71334

CRITICAL

Flowise - Arbitrary File Access via Missing Chat Flow ID Validation

Title source: cna

Description

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value (e.g., '../../../../../tmp') as the chatflow id, an unauthenticated attacker can use the /api/v1/chatflows endpoint (via addBase64FilesToStorage) to write arbitrary files, and the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints (via streamStorageFile) to read arbitrary files. Arbitrary file write may lead to remote code execution.

References (4)

Core 4

Core References

Vendor Advisory vendor-advisory

GitHub Security Advisory (GHSA-q67q-549q-p849)

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849

Patch patch

https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f

View Patch ZIP pw:eip

Patch patch

https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: Flowise - Arbitrary File Access via Missing Chat Flow ID Validation

https://www.vulncheck.com/advisories/flowise-arbitrary-file-access-via-missing-chat-flow-id-validation

Scores

CVSS v3 9.8

EPSS 0.0086

EPSS Percentile 53.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-73

Status published

Products (2)

Flowise/Flowise < 3.0.6

Flowise/Flowise 3.0.6

Published Jun 25, 2026

Tracked Since Jun 26, 2026