Summary: A critical file upload vulnerability has been discovered in Flowise, an open-source platform for AI agents, allowing unauthenticated attackers to upload arbitrary files. This issue, tracked as CVE-2025-26319 with a CVSS score of 9.8, could lead to remote code execution and server compromise. Users are urged to apply a patch or switch to S3 storage to mitigate risks associated with this vulnerability.
Affected: Flowise (Open-source platform for AI agents)
Keypoints :
- Vulnerability CVE-2025-26319 allows attackers to upload malicious files via the /api/v1/attachments route.
- Lack of proper validation can lead to path traversal, file overwrite, and execution of arbitrary code.
- Security researcher Dor Attias has disclosed this vulnerability; however, Flowise has not yet responded with a patch.