#VU125532 Arbitrary file upload in Flowise - CVE-2026-30821
Published: April 9, 2026
Vulnerability identifier: #VU125532
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-30821
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flowise
Flowise
Software vendor:
FlowiseAI
FlowiseAI
Description
The vulnerability allows a remote attacker to upload arbitrary files.
The vulnerability exists due to unrestricted upload of file with dangerous type in the /api/v1/attachments/:chatflowId/:chatId endpoint when handling file upload requests that rely on the client-supplied Content-Type header. A remote attacker can send a specially crafted multipart/form-data request with a spoofed MIME type to upload arbitrary files.
The affected endpoint is whitelisted, allowing unauthenticated access, and uploaded files may persist in S3, GCS, or local storage.
Remediation
Install security update from vendor's website.