CVE-2026-41269
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.
Ver en NVDAnálisis
Flowise versions prior to 3.1.0 are vulnerable to a file upload bypass that allows attackers to store and execute malicious Node.js code. If you are using Flowise to build LLM workflows, upgrade to version 3.1.0 immediately to prevent potential remote code execution on your server.
Severidad
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:NCWE-434EPSS
Afecta
flowiseai:flowiseDescripción técnica
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.