Flowise – Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

AI Analysis

Unauthenticated arbitrary file upload vulnerability via /api/v1/attachments endpoint

Basic Information

ID CVE-2025-71333

Source VulnCheck

Published Jun 25, 2026 at 21:41

Affected Product

Vendor Flowise

Product Flowise

Affected Versions Flowise Flowise 0

CWE Classification

CWE-73

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Flowise

Product Flowise

Version 2.2.4 and prior

References

{
    "lastseen": "",
    "description": "Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.",
    "published": "2026-06-25T21:41:04.896Z",
    "modified": "2026-06-25T21:41:04.896Z",
    "type": "cve",
    "title": "Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint",
    "source": "VulnCheck",
    "references": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g\nhttps://www.vulncheck.com/advisories/flowise-arbitrary-file-upload-via-unauthenticated-api-v1-attachments-endpoint",
    "id": "CVE-2025-71333",
    "bulletinFamily": "",
    "cwe": [
        "CWE-73"
    ],
    "cvelist": null,
    "sourceData": "Flowise Flowise 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Flowise",
    "version": "0",
    "vendor": "Flowise",
    "ai_description": "Unauthenticated arbitrary file upload vulnerability via /api/v1/attachments endpoint",
    "ai_severity": "Critical",
    "ai_vendor": "Flowise",
    "ai_product": "Flowise",
    "ai_version": "2.2.4 and prior",
    "ai_score": 9.3
}

Flowise – Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint_CVE-2025-71333