Unauthenticated File Upload Vulnerability in Flowise by FlowiseAI
CVE-2025-71333

9.3CRITICAL

Key Information:

Vendor: Flowise
Status: Flowise
Vendor: CVE Published:; 25 June 2026

What is CVE-2025-71333?

Flowise versions up to 2.2.4 are susceptible to an unauthenticated arbitrary file upload vulnerability via the /api/v1/attachments endpoint when the storageType is set as local. This vulnerability arises from improper validation of user inputs, specifically in the chatId and chatflowId parameters, allowing attackers to exploit path traversal techniques. By successfully executing this attack, malicious actors could upload harmful files to arbitrary directories on the server, which could lead to remote code execution and a direct compromise of the server's integrity.

Affected Version(s)

Flowise 0 <= 2.2.4

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/flowise-arbitrary-fi...

third-party-advisory

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

dorattias

CVE-2025-71333 Data

JSON