CVE-2025-26319
published 2025-03-04CVE-2025-26319: FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
50.79%
98.8th percentile
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | — | — |
| flowiseai | flowise | 0 – 2.2.6 | — |
| flowiseai | flowise | >= 3.0.1 < 3.0.8 | 3.0.8 |
| flowiseai | flowise | >= 3.0.1 < 3.0.8 | 3.0.8 |
| flowiseai | flowise | 3.0.1 – 3.0.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1/attachments/..%2f..%2f..%2f..%2f..%2froot%2f/.flowise
path/api/v1/attachments
path.flowise/api.json
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Flowise Pre-Auth Arbitrary File Upload Attempt (CVE-2025-26319)"; flow:established,to_server; http.request_line; content:"POST /api/v1/attachments/"; startswith; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183; reference:cve,2025-26319; classtype:attempted-admin; sid:2061358; rev:1; metadata:affected_product Flowise, attack_target Web_Server, tls_state plaintext, created_at 2025_04_07, cve CVE_2025_26319, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Detect path traversal in POST requests to /api/v1/attachments/ using URL-encoded dot-slash sequences (e.g., %2f, %2e, %5c) to escape the upload directory.
- →Alert on POST requests to /api/v1/attachments/ where the path contains traversal sequences targeting /.flowise or /root/ directories.
- →Monitor for unauthenticated uploads of a file named api.json to the Flowise attachments endpoint, which can overwrite the API key configuration.
- →After a successful upload, watch for GET /api/v1/apikey requests using a Bearer token injected via the overwritten api.json, indicating API key harvesting.
- →Use Shodan/FOFA queries to identify exposed Flowise instances as potential targets; between 12,000 and 15,000 instances are currently exposed online.
- →CVE-2025-26319 is being actively exploited in the wild alongside CVE-2025-8943 and CVE-2025-59528; treat any Flowise instance on version ≤2.2.6 as compromised until patched. ↗
- ·The vulnerability is unauthenticated (no credentials required), so absence of auth headers in upload requests to /api/v1/attachments/ is expected and should not be used to filter out detections.
- ·The Nuclei PoC template uses a hardcoded test API key and secret; these specific values may appear in benign scanner traffic and should be correlated with other indicators before concluding compromise.
- ·The Snort/ET rule (sid:2061358) is scoped to plaintext (tls_state plaintext); TLS-terminated deployments behind a reverse proxy will require decryption or an equivalent application-layer inspection rule.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
osv·2025-10-14·CVSS 9.8
CVE-2025-34267 [CRITICAL] Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host.
**NOTE**: This vulnerability was incorrectly as
GHSA
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
ghsa·2025-10-14·CVSS 9.8
CVE-2025-34267 [CRITICAL] CWE-77 Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host.
**NOTE**: This vulnerability was incorrectly as
OSV
FlowiseAI Flowise arbitrary file upload vulnerability
osv·2025-03-05
CVE-2025-26319 [HIGH] FlowiseAI Flowise arbitrary file upload vulnerability
FlowiseAI Flowise arbitrary file upload vulnerability
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
GHSA
FlowiseAI Flowise arbitrary file upload vulnerability
ghsa·2025-03-05
CVE-2025-26319 [HIGH] CWE-434 FlowiseAI Flowise arbitrary file upload vulnerability
FlowiseAI Flowise arbitrary file upload vulnerability
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
VulnCheck
FlowiseAI Flowise Unrestricted Upload of File with Dangerous Type
vulncheck·2025·CVSS 9.8
CVE-2025-26319 [CRITICAL] FlowiseAI Flowise Unrestricted Upload of File with Dangerous Type
FlowiseAI Flowise Unrestricted Upload of File with Dangerous Type
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
Affected: FlowiseAI Flowise
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-31&host_type=src&vulnerability=cve-2025-26319; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-04-01&host_type=src&vulnerability=cve-2025-26319; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-04-03&host_type=src&vulnerability=cve-2025-26319; https://
Suricata
ET WEB_SPECIFIC_APPS Flowise Pre-Auth Arbitrary File Upload Attempt (CVE-2025-26319)
suricata·2025-04-07·CVSS 9.8
CVE-2025-26319 [CRITICAL] ET WEB_SPECIFIC_APPS Flowise Pre-Auth Arbitrary File Upload Attempt (CVE-2025-26319)
ET WEB_SPECIFIC_APPS Flowise Pre-Auth Arbitrary File Upload Attempt (CVE-2025-26319)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Flowise Pre-Auth Arbitrary File Upload Attempt (CVE-2025-26319)"; flow:established,to_server; http.request_line; content:"POST /api/v1/attachments/"; startswith; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183; reference:cve,2025-26319; classtype:attempted-admin; sid:2061358; rev:1; metadata:affected_product Flowise, attack_target Web_Server, tls_state plaintext, created_at 2025_04_07, cve CVE_2025_26319, deployment Perimeter, deployment Internal, performance_imp
Nuclei
FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2025-26319 [CRITICAL] FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and remote code execution. The vulnerability can be exploited by uploading a malicious file to overwrite the .flowise/api.json configuration file.
Template:
id: CVE-2025-26319
info:
name: FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerabilit
Bleepingcomputer
Max severity Flowise RCE vulnerability now exploited in attacks
blogs_bleepingcomputer·2026-04-07·CVSS 9.8
[CRITICAL] Max severity Flowise RCE vulnerability now exploited in attacks
## Max severity Flowise RCE vulnerability now exploited in attacks
## Bill Toulas
The developer addressed the issue in Flowise version 3.0.6. The latest current version is 3.1.1, released two weeks ago.
Flowise is an open-source , low-code platform for building AI agents and LLM-based workflows. It provides a drag-and-drop interface that lets users connect components into pipelines powering chatbots, automation, and AI systems.
It is used by a broad range of users, including developers working in AI prototyping, non-technical users working with no-code toolsets, and companies that operate customer support chatbots and knowledge-based assistants.
Caitlin Condon, security researcher at vulnerability intelligence company VulnCheck, announced on LinkedIn that exploitation of CVE-2025-5952
Hackernews
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
blogs_hackernews·2026-04-07·CVSS 9.8
CVE-2025-59528 [CRITICAL] Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Threat actors are exploiting a maximum-severity security flaw in Flowise , an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.
The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.
"The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server," Flowise said in an advisory released in September 2025. "This node parses the user-provided
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-03-04
Published
Exploited in the wild