CVE-2026-30821CRITICAL 9.8EPSS p96.9%

CVE-2026-30821CVE-2026-30821

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS18.33% probability of exploitation · percentile 96.9% · 2026-06-18T12:00:27Z
Published2026-03-07
Last modified2026-03-11

Underlying weaknesses· 1

CWE-434

References

  1. https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13
  2. https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41269
CVE
CVE-2025-61687
CVE
CVE-2026-31829
CVE
CVE-2026-41273
CVE
CVE-2025-26319
CVE
CVE-2026-30820
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.