Arbitrary File Access Vulnerability in Flowise by FlowiseAI
CVE-2025-71334

9.3CRITICAL

Key Information:

Vendor

Flowise

Status
Flowise
Vendor
CVE Published:
25 June 2026

What is CVE-2025-71334?

Flowise prior to version 3.0.6 is susceptible to an arbitrary file access vulnerability due to insufficient validation on the chatflowId and chatId parameters during file handling. An attacker can exploit this flaw, using path traversal sequences, to access or write arbitrary files by interfacing with specific API endpoints. This could potentially result in remote code execution, enabling further compromise of the targeted system.

Affected Version(s)

Flowise 0 < 3.0.6

Flowise 3.0.6

References

https://github.com/FlowiseAI/Flowise/security/advisories/...
vendor-advisory
https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de...
patch
https://github.com/FlowiseAI/Flowise/commit/c2b830f279e45...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rpie9
.