CVE-2026-41269

HIGH

Flowise: File Upload Validation Bypass in createAttachment

Title source: cna

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr

Scores

CVSS v3 7.1

EPSS 0.0047

EPSS Percentile 36.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (3)

flowiseai/flowise < 3.1.0

FlowiseAI/Flowise < 3.1.0

npm/flowise 0 - 3.1.0npm

Published Apr 23, 2026

Tracked Since Apr 24, 2026