Unauthenticated File Upload Vulnerability in Flowise by FlowiseAI

CVE-2026-30821

What is CVE-2026-30821?

Flowise, a drag-and-drop interface for custom large language model flows, includes a significant vulnerability that allows unauthenticated access to its file upload API prior to version 3.0.13. The vulnerability arises from the /api/v1/attachments/:chatflowId/:chatId endpoint being included in WHITELIST_URLS, enabling attackers to upload files by simply tampering with the Content-Type header. While the server has measures for MIME type validation, it relies on client-provided data without verifying the actual content, leading to potential exploitation. Malicious actors can upload harmful files such as scripts, which are stored on the backend and can be used for attacks like Stored XSS or Remote Code Execution (RCE) when combined with other system features. This vulnerability has been addressed in the latest patch, version 3.0.13.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References