CVE-2026-41269 HIGH

CVE-2026-41269: Flowise: File Upload Validation Bypass in createAttachment

Vendor Flowiseai
Product Flowise
Weakness CWE-434 · Unrestricted file upload
Published April 23, 2026
Last update April 24, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 24, 2026 Record updated