Vulnerability-Lookup

CVE-2026-30821 (GCVE-0-2026-30821)

Vulnerability from cvelistv5 – Published: 2026-03-07 05:07 – Updated: 2026-03-09 20:44

Title

Flowise: Arbitrary File Upload via MIME Spoofing

Summary

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

GitHub_M

References

URL

Tags

	https://github.com/FlowiseAI/Flowise/security/adv…	x_refsource_CONFIRM
	https://github.com/FlowiseAI/Flowise/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	FlowiseAI	Flowise	Affected: < 3.0.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30821",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T20:34:55.619665Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T20:44:24.875Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Flowise",
          "vendor": "FlowiseAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.0.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file\u0027s actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T05:07:50.067Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6"
        },
        {
          "name": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
        }
      ],
      "source": {
        "advisory": "GHSA-j8g8-j7fc-43v6",
        "discovery": "UNKNOWN"
      },
      "title": "Flowise: Arbitrary File Upload via MIME Spoofing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30821",
    "datePublished": "2026-03-07T05:07:50.067Z",
    "dateReserved": "2026-03-05T21:06:44.605Z",
    "dateUpdated": "2026-03-09T20:44:24.875Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-30821\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-07T05:16:26.907\",\"lastModified\":\"2026-03-09T13:35:34.633\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file\u0027s actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.\"},{\"lang\":\"es\",\"value\":\"Flowise es una interfaz de usuario de arrastrar y soltar para construir un flujo de modelo de lenguaje grande personalizado. Antes de la versi\u00f3n 3.0.13, el endpoint /api/v1/attachments/:chatflowId/:chatId est\u00e1 listado en WHITELIST_URLS, permitiendo acceso no autenticado a la API de carga de archivos. Aunque el servidor valida las cargas bas\u00e1ndose en los tipos MIME definidos en chatbotConfig.fullFileUpload.allowedUploadFileTypes, conf\u00eda impl\u00edcitamente en el encabezado Content-Type proporcionado por el cliente (file.mimetype) sin verificar el contenido real del archivo (bytes m\u00e1gicos) o la extensi\u00f3n (file.originalname). En consecuencia, un atacante puede eludir esta restricci\u00f3n falsificando el Content-Type como un tipo permitido (p. ej., application/pdf) mientras carga scripts maliciosos o archivos arbitrarios. Una vez cargados a trav\u00e9s de addArrayFilesToStorage, estos archivos persisten en el almacenamiento de backend (S3, GCS o disco local). Esta vulnerabilidad sirve como un punto de entrada cr\u00edtico que, cuando se encadena con otras caracter\u00edsticas como el alojamiento est\u00e1tico o la recuperaci\u00f3n de archivos, puede conducir a XSS Almacenado, alojamiento de archivos maliciosos o Ejecuci\u00f3n Remota de C\u00f3digo (RCE). Este problema ha sido parcheado en la versi\u00f3n 3.0.13.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"references\":[{\"url\":\"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30821\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T20:34:55.619665Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T20:35:42.568Z\"}}], \"cna\": {\"title\": \"Flowise: Arbitrary File Upload via MIME Spoofing\", \"source\": {\"advisory\": \"GHSA-j8g8-j7fc-43v6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"FlowiseAI\", \"product\": \"Flowise\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.0.13\"}]}], \"references\": [{\"url\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6\", \"name\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13\", \"name\": \"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file\u0027s actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-07T05:07:50.067Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-30821\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T20:44:24.875Z\", \"dateReserved\": \"2026-03-05T21:06:44.605Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-07T05:07:50.067Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

WID-SEC-W-2026-0626

Vulnerability from csaf_certbund - Published: 2026-03-05 23:00 - Updated: 2026-03-08 23:00

Summary

Flowise: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Flowise ist eine Benutzeroberfläche zur Erstellung von LLMs (Large Language Model).

Angriff

Ein Angreifer kann mehrere Schwachstellen in Flowise ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Flowise ist eine Benutzeroberfl\u00e4che zur Erstellung von LLMs (Large Language Model).",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Flowise ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0626 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0626.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0626 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0626"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq4r-h2gh-qv7x"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq"
      },
      {
        "category": "external",
        "summary": "Flowise GitHub vom 2026-03-05",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x2g5-fvc2-gqvp"
      }
    ],
    "source_lang": "en-US",
    "title": "Flowise: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-08T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-09T08:11:51.241+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0626",
      "initial_release_date": "2026-03-05T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-05T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-08T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-10111, EUVD-2026-10110, EUVD-2026-10109, EUVD-2026-10108, EUVD-2026-10107"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.0.13",
                "product": {
                  "name": "Open Source Flowise \u003c3.0.13",
                  "product_id": "T051470"
                }
              },
              {
                "category": "product_version",
                "name": "3.0.13",
                "product": {
                  "name": "Open Source Flowise 3.0.13",
                  "product_id": "T051470-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:flowiseai:flowise:3.0.13"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Flowise"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-30820",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30820"
    },
    {
      "cve": "CVE-2026-30821",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30821"
    },
    {
      "cve": "CVE-2026-30822",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30822"
    },
    {
      "cve": "CVE-2026-30823",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30823"
    },
    {
      "cve": "CVE-2026-30824",
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00",
      "title": "CVE-2026-30824"
    },
    {
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00"
    },
    {
      "product_status": {
        "known_affected": [
          "T051470"
        ]
      },
      "release_date": "2026-03-05T23:00:00.000+00:00"
    }
  ]
}

GHSA-J8G8-J7FC-43V6

Vulnerability from github – Published: 2026-03-06 18:49 – Updated: 2026-03-09 13:15

Summary

Flowise has Arbitrary File Upload via MIME Spoofing

Details

Vulnerability Description

Vulnerability Overview

The /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API.
While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname).
Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE).

Vulnerable Code

Upload Route Definition

https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/attachments/index.ts#L7-L10

tsx // CREATE router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment) export default router
Mount /api/v1/attachments to the global router

https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/index.ts#L72-L77

tsx const router = express.Router() router.use('/ping', pingRouter) router.use('/apikey', apikeyRouter) router.use('/assistants', assistantsRouter) router.use('/attachments', attachmentsRouter)
Include /api/v1/attachments in the WHITELIST_URLS list

https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/constants.ts#L6-L26

tsx export const WHITELIST_URLS = [ '/api/v1/verify/apikey/', '/api/v1/chatflows/apikey/', '/api/v1/public-chatflows', '/api/v1/public-chatbotConfig', '/api/v1/public-executions', '/api/v1/prediction/', '/api/v1/vector/upsert/', '/api/v1/node-icon/', '/api/v1/components-credentials-icon/', '/api/v1/chatflows-streaming', '/api/v1/chatflows-uploads', '/api/v1/openai-assistants-file/download', '/api/v1/feedback', '/api/v1/leads', '/api/v1/get-upload-file', '/api/v1/ip', '/api/v1/ping', '/api/v1/version', '/api/v1/attachments', '/api/v1/metrics',

Bypass JWT validation if the URL is whitelisted

https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/index.ts#L213-L228

```tsx const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : [] const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url)) const URL_CASE_INSENSITIVE_REGEX: RegExp = /\/api\/v1\//i const URL_CASE_SENSITIVE_REGEX: RegExp = /\/api\/v1\//

    await initializeJwtCookieMiddleware(this.app, this.identityManager)

    this.app.use(async (req, res, next) => {
        // Step 1: Check if the req path contains /api/v1 regardless of case
        if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {
            // Step 2: Check if the req path is casesensitive
            if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {
                // Step 3: Check if the req path is in the whitelist
                const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))
                if (isWhitelisted) {
                    next()

```

Multer Configuration: Saves files without file type validation

https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/index.ts#L1917-L1960

```tsx export const getUploadPath = (): string => { return process.env.BLOB_STORAGE_PATH ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads') : path.join(getUserHome(), '.flowise', 'uploads') }

export function generateId() { return uuidv4() }

export const getMulterStorage = () => { const storageType = process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'

if (storageType === 's3') {
    const s3Client = getS3Config().s3Client
    const Bucket = getS3Config().Bucket

    const upload = multer({
        storage: multerS3({
            s3: s3Client,
            bucket: Bucket,
            metadata: function (req, file, cb) {
                cb(null, { fieldName: file.fieldname, originalName: file.originalname })
            },
            key: function (req, file, cb) {
                cb(null, `${generateId()}`)
            }
        })
    })
    return upload
} else if (storageType === 'gcs') {
    return multer({
        storage: new MulterGoogleCloudStorage({
            projectId: process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID,
            bucket: process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME,
            keyFilename: process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL,
            uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,
            destination: `uploads/${generateId()}`
        })
    })
} else {
    return multer({ dest: getUploadPath() })
}

} ```

Transfers uploaded files to storage without verification

https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/createAttachment.ts#L124-L158

``tsx const files = (req.files as Express.Multer.File[]) || [] const fileAttachments = [] if (files.length) { const isBase64 = req.body.base64 for (const file of files) { if (!allowedFileTypes.length) { throw new InternalFlowiseError( StatusCodes.BAD_REQUEST,File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}` ) }

        // Validate file type against allowed types
        if (allowedFileTypes.length > 0 && !allowedFileTypes.includes(file.mimetype)) {
            throw new InternalFlowiseError(
                StatusCodes.BAD_REQUEST,
                `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`
            )
        }

        await checkStorage(orgId, subscriptionId, appServer.usageCacheManager)

        const fileBuffer = await getFileFromUpload(file.path ?? file.key)
        const fileNames: string[] = []
        // Address file name with special characters: https://github.com/expressjs/multer/issues/1104
        file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8')
        const { path: storagePath, totalSize } = await addArrayFilesToStorage(
            file.mimetype,
            fileBuffer,
            file.originalname,
            fileNames,
            orgId,
            chatflowid,
            chatId
        )

```

PoC

PoC Description

Create a local file named shell.js containing arbitrary JavaScript code (or a malicious payload).
Send a multipart/form-data request to the /api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/:chatId endpoint without any authentication (login, session, or API keys).
During the upload, retain the filename as shell.js but spoof the Content-Type header as application/pdf.
This exploits the server's reliance solely on the client-provided file.mimetype, forcing it to process the malicious JS file as an allowed PDF, thereby confirming unauthenticated arbitrary file upload.

PoC

curl -X POST \
  "http://localhost:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)" \
  -F "files=@shell.js;type=application/pdf"

Impact

1. Root Cause The vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., .js, .php) or malicious scripts (.html) by masquerading them as benign images or documents.

2. Key Attack Scenarios

Server Compromise (RCE): An attacker uploads a Web Shell and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.
Client-Side Attack (Stored XSS): An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.

3. Impact This vulnerability is rated as High severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.

Severity ?

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T18:49:20Z",
    "nvd_published_at": "2026-03-07T05:16:26Z",
    "severity": "HIGH"
  },
  "details": "### Vulnerability **Description**\n\n---\n\n**Vulnerability Overview**\n \n- The `/api/v1/attachments/:chatflowId/:chatId` endpoint is listed in `WHITELIST_URLS`, allowing unauthenticated access to the file upload API.\n- While the server validates uploads based on the MIME types defined in `chatbotConfig.fullFileUpload.allowedUploadFileTypes`, it implicitly trusts the client-provided `Content-Type` header (`file.mimetype`) without verifying the file\u0027s actual content (magic bytes) or extension (`file.originalname`).\n- Consequently, an attacker can bypass this restriction by spoofing the `Content-Type` as a permitted type (e.g., `application/pdf`) while uploading malicious scripts or arbitrary files. Once uploaded via `addArrayFilesToStorage`, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE).\n\n**Vulnerable Code**\n\n- Upload Route Definition\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/attachments/index.ts#L7-L10\n    \n    ```tsx\n    // CREATE\n    router.post(\u0027/:chatflowId/:chatId\u0027, getMulterStorage().array(\u0027files\u0027), attachmentsController.createAttachment)\n    export default router\n    ```\n    \n- Mount /api/v1/attachments to the global router\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/index.ts#L72-L77\n    \n    ```tsx\n    const router = express.Router()\n    router.use(\u0027/ping\u0027, pingRouter)\n    router.use(\u0027/apikey\u0027, apikeyRouter)\n    router.use(\u0027/assistants\u0027, assistantsRouter)\n    router.use(\u0027/attachments\u0027, attachmentsRouter)\n    ```\n    \n- Include /api/v1/attachments in the WHITELIST_URLS list\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/constants.ts#L6-L26\n    \n    ```tsx\n    export const WHITELIST_URLS = [\n        \u0027/api/v1/verify/apikey/\u0027,\n        \u0027/api/v1/chatflows/apikey/\u0027,\n        \u0027/api/v1/public-chatflows\u0027,\n        \u0027/api/v1/public-chatbotConfig\u0027,\n        \u0027/api/v1/public-executions\u0027,\n        \u0027/api/v1/prediction/\u0027,\n        \u0027/api/v1/vector/upsert/\u0027,\n        \u0027/api/v1/node-icon/\u0027,\n        \u0027/api/v1/components-credentials-icon/\u0027,\n        \u0027/api/v1/chatflows-streaming\u0027,\n        \u0027/api/v1/chatflows-uploads\u0027,\n        \u0027/api/v1/openai-assistants-file/download\u0027,\n        \u0027/api/v1/feedback\u0027,\n        \u0027/api/v1/leads\u0027,\n        \u0027/api/v1/get-upload-file\u0027,\n        \u0027/api/v1/ip\u0027,\n        \u0027/api/v1/ping\u0027,\n        \u0027/api/v1/version\u0027,\n        \u0027/api/v1/attachments\u0027,\n        \u0027/api/v1/metrics\u0027,\n    ```\n    \n- Bypass JWT validation if the URL is whitelisted\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/index.ts#L213-L228\n    \n    ```tsx\n            const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(\u0027,\u0027) : []\n            const whitelistURLs = WHITELIST_URLS.filter((url) =\u003e !denylistURLs.includes(url))\n            const URL_CASE_INSENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//i\n            const URL_CASE_SENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//\n    \n            await initializeJwtCookieMiddleware(this.app, this.identityManager)\n    \n            this.app.use(async (req, res, next) =\u003e {\n                // Step 1: Check if the req path contains /api/v1 regardless of case\n                if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {\n                    // Step 2: Check if the req path is casesensitive\n                    if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {\n                        // Step 3: Check if the req path is in the whitelist\n                        const isWhitelisted = whitelistURLs.some((url) =\u003e req.path.startsWith(url))\n                        if (isWhitelisted) {\n                            next()\n    ```\n    \n- Multer Configuration: Saves files without file type validation\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/index.ts#L1917-L1960\n    \n    ```tsx\n    export const getUploadPath = (): string =\u003e {\n        return process.env.BLOB_STORAGE_PATH\n            ? path.join(process.env.BLOB_STORAGE_PATH, \u0027uploads\u0027)\n            : path.join(getUserHome(), \u0027.flowise\u0027, \u0027uploads\u0027)\n    }\n    \n    export function generateId() {\n        return uuidv4()\n    }\n    \n    export const getMulterStorage = () =\u003e {\n        const storageType = process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : \u0027local\u0027\n    \n        if (storageType === \u0027s3\u0027) {\n            const s3Client = getS3Config().s3Client\n            const Bucket = getS3Config().Bucket\n    \n            const upload = multer({\n                storage: multerS3({\n                    s3: s3Client,\n                    bucket: Bucket,\n                    metadata: function (req, file, cb) {\n                        cb(null, { fieldName: file.fieldname, originalName: file.originalname })\n                    },\n                    key: function (req, file, cb) {\n                        cb(null, `${generateId()}`)\n                    }\n                })\n            })\n            return upload\n        } else if (storageType === \u0027gcs\u0027) {\n            return multer({\n                storage: new MulterGoogleCloudStorage({\n                    projectId: process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID,\n                    bucket: process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME,\n                    keyFilename: process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL,\n                    uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,\n                    destination: `uploads/${generateId()}`\n                })\n            })\n        } else {\n            return multer({ dest: getUploadPath() })\n        }\n    }\n    ```\n    \n- Transfers uploaded files to storage without verification\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/createAttachment.ts#L124-L158\n    \n    ```tsx\n        const files = (req.files as Express.Multer.File[]) || []\n        const fileAttachments = []\n        if (files.length) {\n            const isBase64 = req.body.base64\n            for (const file of files) {\n                if (!allowedFileTypes.length) {\n                    throw new InternalFlowiseError(\n                        StatusCodes.BAD_REQUEST,\n                        `File type \u0027${file.mimetype}\u0027 is not allowed. Allowed types: ${allowedFileTypes.join(\u0027, \u0027)}`\n                    )\n                }\n    \n                // Validate file type against allowed types\n                if (allowedFileTypes.length \u003e 0 \u0026\u0026 !allowedFileTypes.includes(file.mimetype)) {\n                    throw new InternalFlowiseError(\n                        StatusCodes.BAD_REQUEST,\n                        `File type \u0027${file.mimetype}\u0027 is not allowed. Allowed types: ${allowedFileTypes.join(\u0027, \u0027)}`\n                    )\n                }\n    \n                await checkStorage(orgId, subscriptionId, appServer.usageCacheManager)\n    \n                const fileBuffer = await getFileFromUpload(file.path ?? file.key)\n                const fileNames: string[] = []\n                // Address file name with special characters: https://github.com/expressjs/multer/issues/1104\n                file.originalname = Buffer.from(file.originalname, \u0027latin1\u0027).toString(\u0027utf8\u0027)\n                const { path: storagePath, totalSize } = await addArrayFilesToStorage(\n                    file.mimetype,\n                    fileBuffer,\n                    file.originalname,\n                    fileNames,\n                    orgId,\n                    chatflowid,\n                    chatId\n                )\n    ```\n    \n\n### PoC\n\n---\n\n**PoC Description**\n \n- Create a local file named `shell.js` containing arbitrary JavaScript code (or a malicious payload).\n- Send a `multipart/form-data` request to the `/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/:chatId` endpoint without any authentication (login, session, or API keys).\n- During the upload, retain the filename as `shell.js` but spoof the `Content-Type` header as `application/pdf`.\n- This exploits the server\u0027s reliance solely on the client-provided `file.mimetype`, forcing it to process the malicious JS file as an allowed PDF, thereby confirming unauthenticated arbitrary file upload.\n\n**PoC**\n\n\n```bash\ncurl -X POST \\\n  \"http://localhost:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)\" \\\n  -F \"files=@shell.js;type=application/pdf\"\n```\n\n\u003cimg width=\"1916\" height=\"1011\" alt=\"image\" src=\"https://github.com/user-attachments/assets/45679d95-00b9-4bee-9c94-7bd9403554d5\" /\u003e\n\n\n### Impact\n\n---\n\n**1. Root Cause**\nThe vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., `.js`, `.php`) or malicious scripts (`.html`) by masquerading them as benign images or documents.\n\n**2. Key Attack Scenarios**\n\n- **Server Compromise (RCE):** An attacker uploads a **Web Shell** and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.\n- **Client-Side Attack (Stored XSS):** An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.\n\n**3. Impact**\nThis vulnerability is rated as **High** severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.",
  "id": "GHSA-j8g8-j7fc-43v6",
  "modified": "2026-03-09T13:15:25Z",
  "published": "2026-03-06T18:49:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30821"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise has Arbitrary File Upload via MIME Spoofing"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-30821 (GCVE-0-2026-30821)

WID-SEC-W-2026-0626

GHSA-J8G8-J7FC-43V6

Vulnerability Description

PoC

Impact

Tags

Sightings

Nomenclature