CVE-2026-30821

CRITICAL

Published March 7, 2026

CISO Take

Any internet-facing Flowise instance running below v3.0.13 is fully compromised — unauthenticated attackers can upload arbitrary files by spoofing Content-Type headers, with a direct path to RCE when chained with Flowise's own file retrieval or static hosting features. Patch to 3.0.13 immediately; if patching is blocked, firewall the /api/v1/attachments endpoint at the perimeter and audit your file storage (S3/GCS/local) for unexpected non-document uploads. Treat any unpatched instance as a beachhead into your AI infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	—	—	No patch
flowise	—	—	No patch
flowise	—	—	No patch

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade to Flowise v3.0.13 immediately — this is the only complete fix. 2. NETWORK CONTROL: If patching is delayed, block unauthenticated access to /api/v1/attachments/* at the WAF or reverse proxy layer. 3. STORAGE AUDIT: Enumerate all files in your Flowise storage backend (S3 bucket, GCS bucket, or local upload directory) and flag any non-image/non-document MIME types (e.g., .php, .js, .html, .py, .sh). Remove suspicious files and rotate any credentials stored in Flowise flows. 4. DETECTION: Alert on POST requests to /api/v1/attachments with Content-Type mismatches (e.g., application/pdf with .php or .html extensions in the filename). Enable S3/GCS access logging and alert on new file writes with executable extensions. 5. ISOLATION: Ensure Flowise instances are not directly internet-facing unless business-required; place behind authenticated reverse proxy. 6. SECRET ROTATION: After patching, rotate all API keys (LLM providers, database, external services) stored in Flowise flow configurations as a precaution.

Classification

Code Execution Framework RAG Plugin AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0074 - Masquerading AML.T0079 - Stage Capabilities

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI System Security — Input Validation A.8.1 - AI Risk Treatment — Access Control for AI Resources A.9.2 - Information security in AI system development

NIST AI RMF

GOVERN 1.2 - Accountability — Risk Management Policies MANAGE 2.2 - Mechanisms for AI risk treatment are in place MEASURE 2.5 - AI System Trustworthiness Testing — Security Properties

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling LLM07 - Insecure Plugin Design

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.

Exploitation Scenario

An adversary scans for publicly accessible Flowise instances (trivially found via Shodan/Censys querying for Flowise's default port and UI fingerprint). They POST to /api/v1/attachments/{chatflowId}/{chatId} with a request body containing a PHP webshell payload (<?php system($_GET['cmd']); ?>), but set the Content-Type header to application/pdf. Flowise's validation sees application/pdf (an allowed type), stores the file as chatflowId_chatId_webshell.php in the configured backend. If storage is local disk with a web-accessible path, the attacker directly requests the file to trigger RCE. If using S3/GCS with public or semi-public bucket policies, the file is accessible externally and can be delivered as a malicious payload to downstream users. The attacker then achieves full host access, exfiltrating all LLM API keys, database credentials, and configured flow secrets — turning the Flowise node into a persistent foothold within the organization's AI infrastructure.

Weaknesses (CWE)

CWE-434 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13
Product Release
github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13
Product Release
github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13
Product Release
github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6
Exploit Vendor
github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6
Exploit Vendor
github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6
Exploit Vendor

Timeline

Published

March 7, 2026

Last Modified

March 11, 2026

First Seen

March 7, 2026

Back to Threat Feed