CVE-2025-71334
published 2026-06-25CVE-2025-71334: Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.86%
53.9th percentile
Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value (e.g., '../../../../../tmp') as the chatflow id, an unauthenticated attacker can use the /api/v1/chatflows endpoint (via addBase64FilesToStorage) to write arbitrary files, and the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints (via streamStorageFile) to read arbitrary files. Arbitrary file write may lead to remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowise | flowise | < 3.0.6 | 3.0.6 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in f
ghsa_unreviewed·2026-06-26
CVE-2025-71334 [CRITICAL] CWE-73 Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in f
Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value (e.g., '../../../../../tmp') as the chatflow id, an unauthenticated attacker can use the /api/v1/chatflows endpoint (via addBase64FilesToStorage) to write arbitrary files, and the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints (via streamStorageFile) to read arbitrary files. Arbitrary file write may lead to remote code execution.
VulDB
Flowise up to 3.0.5 /api/v1/chatflows chatId file inclusion (GHSA-q67q-549q-p849)
vuldb·2026-06-26·CVSS 9.8
CVE-2025-71334 [CRITICAL] Flowise up to 3.0.5 /api/v1/chatflows chatId file inclusion (GHSA-q67q-549q-p849)
A vulnerability was found in Flowise up to 3.0.5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/v1/chatflows. Executing a manipulation of the argument chatId can lead to file inclusion.
The identification of this vulnerability is CVE-2025-71334. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6fhttps://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849https://www.vulncheck.com/advisories/flowise-arbitrary-file-access-via-missing-chat-flow-id-validationhttps://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849
2026-06-25
Published