What is the Flowise security vulnerability?

The vulnerability (CVE-2025-26319) is a critical security flaw in Flowise, a popular open-source no-code/low-code platform used for creating AI agents. It has a CVSS score of 9.8 and allows unauthenticated attackers to upload arbitrary files to servers hosting Flowise agents via the 'knowledge upload' feature.

What are the potential consequences of this vulnerability?

The flaw could enable attackers to gain remote control of the entire server by uploading malicious files, scripts, configuration files, and even SSH keys. This could lead to complete compromise of Flowise instances, remote control over the entire server, data infiltration and exfiltration, and exposure of sensitive configuration information.

How widely used is the affected Flowise platform?

Flowise is a popular platform that has garnered over 35,000 stars on GitHub and more than 1 million Docker pulls. It is utilized by organizations ranging from small-to-medium businesses to large enterprises.

Is this vulnerability being actively exploited?

Yes, according to security researchers, the vulnerability was being actively exploited in the wild before public disclosure. The researchers made the decision to disclose publicly after observing these exploits and after the Flowise team was reportedly unresponsive to their attempts to collaborate over a 45-day period.

Has this vulnerability been patched?

Yes, the vulnerability has been patched in Flowise version 2.2.7-patch.1.

How can users mitigate this Flowise vulnerability?

Users of Flowise can mitigate this vulnerability by: 1) Upgrading to version 2.2.7-patch.1 or later, 2) Changing the storage type from the default 'Local' to 'S3' (which would protect against these attacks), or 3) Applying the patch provided by the security researchers.

Advisory

Flowise low coding platform vulnerable to pre-authentication arbitrary file upload

published: March 18, 2025

Take action: If you are running Flowise server, plan an urgent quick patch since the exploit is fairly easy and well documented, and is already exploited. If you can't patch immediately, reconfigure the storage type to S3 until you are able to patch. Or just disable the server until able to patch.

Learn More

A critical security vulnerability has been discovered in Flowise, a popular open-source no-code/low-code platform used for creating AI agents. The platform, which has garnered over 35,000 stars on GitHub and more than 1 million Docker pulls, is utilized by organizations ranging from small-to-medium businesses to large enterprises.

The vulnerability is tracked as CVE-2025-26319 (CVSS score 9.8) and allows unauthenticated attackers to upload arbitrary files to servers hosting Flowise agents via the 'knowledge upload' feature. The flaw could enable attackers to gain remote control of the entire server by uploading malicious files, scripts, configuration files, and even SSH keys.

The technical root cause involves the platform's authentication mechanism, which uses a whitelist approach for certain APIs. The vulnerability affects the /api/v1/attachments endpoint, which is included in this whitelist. When handling file uploads through this endpoint, the system fails to properly validate the chatflowId and chatId parameters extracted from the request. Since these values are used to construct the storage path without validation, attackers can manipulate these variables to perform path traversal attacks and write files to arbitrary locations on the server.

The vulnerability could lead to complete compromise of Flowise instances, remote control over the entire server, data infiltration and exfiltration and exposure of sensitive configuration information.

The vulnerability has been patched in version 2.2.7-patch.1

The security researchers report that the Flowise team was unresponsive to their attempts to collaborate over a 45-day period. The decision to disclose publicly was made after the researchers observed the vulnerability being actively exploited in the wild.

Users of Flowise can mitigate this vulnerability by:

Upgrading to version 2.2.7-patch.1 or later
Changing the storage type from the default "Local" to "S3" (which would protect against these attacks)
Applying the patch provided by the security researchers

Flowise low coding platform vulnerable to pre-authentication arbitrary file upload

Read More
ImageRunner: critical privilege escalation vulnerability in Google Cloud …
The critical Erlang/OTP SSH flaw actively exploited targeting …
CISA Warns of Active Exploitation in Microsoft Configuration …
Critical RCE Vulnerability Exploited in Legacy D-Link DSL …
AWS Cloud Development Kit flaw lets attackers gain …