{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-30821",
"tracking": {
"current_release_date": "2026-03-23T04:06:08.067702Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-30821",
"initial_release_date": "2026-03-06T13:06:49.807397Z",
"revision_history": [
{
"date": "2026-03-06T13:06:49.807397Z",
"number": "1",
"summary": "CVE created.| Source connected.| CVE status created. (valid)| Products connected (1).| References created (9)."
},
{
"date": "2026-03-06T13:06:51.896748Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-06T19:56:05.327538Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-06T19:56:11.027265Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-07T00:21:07.700231Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)."
},
{
"date": "2026-03-07T00:21:12.848906Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-07T05:24:43.120003Z",
"number": "7",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-07T05:24:53.124595Z",
"number": "8",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-07T05:38:52.633042Z",
"number": "9",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-07T05:38:57.772121Z",
"number": "10",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-07T14:46:37.505307Z",
"number": "11",
"summary": "Source created.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-07T14:46:42.715608Z",
"number": "12",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-09T13:39:52.627223Z",
"number": "13",
"summary": "References created (2)."
},
{
"date": "2026-03-09T13:39:55.310780Z",
"number": "14",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-09T18:21:04.072143Z",
"number": "15",
"summary": "References created (2)."
},
{
"date": "2026-03-09T18:21:10.734549Z",
"number": "16",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-09T21:38:52.085837Z",
"number": "17",
"summary": "Unknown change."
},
{
"date": "2026-03-11T14:25:33.728431Z",
"number": "18",
"summary": "CVSS created.| Products connected (1).| Product Identifiers created (1).| Exploits created (1)."
},
{
"date": "2026-03-11T14:25:40.454747Z",
"number": "19",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-19T15:29:22.205456Z",
"number": "20",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)."
},
{
"date": "2026-03-19T15:29:25.162455Z",
"number": "21",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T09:33:59.729639Z",
"number": "22",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
}
],
"status": "interim",
"version": "22"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<3.0.13",
"product": {
"name": "vers:unknown/<3.0.13",
"product_id": "CSAFPID-5768607",
"product_identification_helper": {
"cpe": "cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "Flowise"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/>=0|<3.0.13",
"product": {
"name": "vers:unknown/>=0|<3.0.13",
"product_id": "CSAFPID-5767907"
}
}
],
"category": "product_name",
"name": "flowise"
}
],
"category": "vendor",
"name": "FlowiseAI"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<3.0.13",
"product": {
"name": "vers:unknown/<3.0.13",
"product_id": "CSAFPID-5766734"
}
}
],
"category": "product_name",
"name": "Flowise"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-30821",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "description",
"text": "### Vulnerability **Description**\n\n---\n\n**Vulnerability Overview**\n \n- The `/api/v1/attachments/:chatflowId/:chatId` endpoint is listed in `WHITELIST_URLS`, allowing unauthenticated access to the file upload API.\n- While the server validates uploads based on the MIME types defined in `chatbotConfig.fullFileUpload.allowedUploadFileTypes`, it implicitly trusts the client-provided `Content-Type` header (`file.mimetype`) without verifying the file's actual content (magic bytes) or extension (`file.originalname`).\n- Consequently, an attacker can bypass this restriction by spoofing the `Content-Type` as a permitted type (e.g., `application/pdf`) while uploading malicious scripts or arbitrary files. Once uploaded via `addArrayFilesToStorage`, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE).\n\n**Vulnerable Code**\n\n- Upload Route Definition\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/attachments/index.ts#L7-L10\n \n ```tsx\n // CREATE\n router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment)\n export default router\n ```\n \n- Mount /api/v1/attachments to the global router\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/index.ts#L72-L77\n \n ```tsx\n const router = express.Router()\n router.use('/ping', pingRouter)\n router.use('/apikey', apikeyRouter)\n router.use('/assistants', assistantsRouter)\n router.use('/attachments', attachmentsRouter)\n ```\n \n- Include /api/v1/attachments in the WHITELIST_URLS list\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/constants.ts#L6-L26\n \n ```tsx\n export const WHITELIST_URLS = [\n '/api/v1/verify/apikey/',\n '/api/v1/chatflows/apikey/',\n '/api/v1/public-chatflows',\n '/api/v1/public-chatbotConfig',\n '/api/v1/public-executions',\n '/api/v1/prediction/',\n '/api/v1/vector/upsert/',\n '/api/v1/node-icon/',\n '/api/v1/components-credentials-icon/',\n '/api/v1/chatflows-streaming',\n '/api/v1/chatflows-uploads',\n '/api/v1/openai-assistants-file/download',\n '/api/v1/feedback',\n '/api/v1/leads',\n '/api/v1/get-upload-file',\n '/api/v1/ip',\n '/api/v1/ping',\n '/api/v1/version',\n '/api/v1/attachments',\n '/api/v1/metrics',\n ```\n \n- Bypass JWT validation if the URL is whitelisted\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/index.ts#L213-L228\n \n ```tsx\n const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : []\n const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url))\n const URL_CASE_INSENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//i\n const URL_CASE_SENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//\n \n await initializeJwtCookieMiddleware(this.app, this.identityManager)\n \n this.app.use(async (req, res, next) => {\n // Step 1: Check if the req path contains /api/v1 regardless of case\n if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {\n // Step 2: Check if the req path is casesensitive\n if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {\n // Step 3: Check if the req path is in the whitelist\n const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))\n if (isWhitelisted) {\n next()\n ```\n \n- Multer Configuration: Saves files without file type validation\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/index.ts#L1917-L1960\n \n ```tsx\n export const getUploadPath = (): string => {\n return process.env.BLOB_STORAGE_PATH\n ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')\n : path.join(getUserHome(), '.flowise', 'uploads')\n }\n \n export function generateId() {\n return uuidv4()\n }\n \n export const getMulterStorage = () => {\n const storageType = process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'\n \n if (storageType === 's3') {\n const s3Client = getS3Config().s3Client\n const Bucket = getS3Config().Bucket\n \n const upload = multer({\n storage: multerS3({\n s3: s3Client,\n bucket: Bucket,\n metadata: function (req, file, cb) {\n cb(null, { fieldName: file.fieldname, originalName: file.originalname })\n },\n key: function (req, file, cb) {\n cb(null, `${generateId()}`)\n }\n })\n })\n return upload\n } else if (storageType === 'gcs') {\n return multer({\n storage: new MulterGoogleCloudStorage({\n projectId: process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID,\n bucket: process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME,\n keyFilename: process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL,\n uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,\n destination: `uploads/${generateId()}`\n })\n })\n } else {\n return multer({ dest: getUploadPath() })\n }\n }\n ```\n \n- Transfers uploaded files to storage without verification\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/createAttachment.ts#L124-L158\n \n ```tsx\n const files = (req.files as Express.Multer.File[]) || []\n const fileAttachments = []\n if (files.length) {\n const isBase64 = req.body.base64\n for (const file of files) {\n if (!allowedFileTypes.length) {\n throw new InternalFlowiseError(\n StatusCodes.BAD_REQUEST,\n `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`\n )\n }\n \n // Validate file type against allowed types\n if (allowedFileTypes.length > 0 && !allowedFileTypes.includes(file.mimetype)) {\n throw new InternalFlowiseError(\n StatusCodes.BAD_REQUEST,\n `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`\n )\n }\n \n await checkStorage(orgId, subscriptionId, appServer.usageCacheManager)\n \n const fileBuffer = await getFileFromUpload(file.path ?? file.key)\n const fileNames: string[] = []\n // Address file name with special characters: https://github.com/expressjs/multer/issues/1104\n file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8')\n const { path: storagePath, totalSize } = await addArrayFilesToStorage(\n file.mimetype,\n fileBuffer,\n file.originalname,\n fileNames,\n orgId,\n chatflowid,\n chatId\n )\n ```\n \n\n### PoC\n\n---\n\n**PoC Description**\n \n- Create a local file named `shell.js` containing arbitrary JavaScript code (or a malicious payload).\n- Send a `multipart/form-data` request to the `/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/:chatId` endpoint without any authentication (login, session, or API keys).\n- During the upload, retain the filename as `shell.js` but spoof the `Content-Type` header as `application/pdf`.\n- This exploits the server's reliance solely on the client-provided `file.mimetype`, forcing it to process the malicious JS file as an allowed PDF, thereby confirming unauthenticated arbitrary file upload.\n\n**PoC**\n\n\n```bash\ncurl -X POST \\\n \"http://localhost:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)\" \\\n -F \"files=@shell.js;type=application/pdf\"\n```\n\n![\"image\"](\"https://github.com/user-attachments/assets/45679d95-00b9-4bee-9c94-7bd9403554d5\")
\n\n\n### Impact\n\n---\n\n**1. Root Cause**\nThe vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., `.js`, `.php`) or malicious scripts (`.html`) by masquerading them as benign images or documents.\n\n**2. Key Attack Scenarios**\n\n- **Server Compromise (RCE):** An attacker uploads a **Web Shell** and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.\n- **Client-Side Attack (Stored XSS):** An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.\n\n**3. Impact**\nThis vulnerability is rated as **High** severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.",
"title": "github - https://github.com/advisories/GHSA-j8g8-j7fc-43v6"
},
{
"category": "description",
"text": "### Vulnerability **Description**\n\n---\n\n**Vulnerability Overview**\n \n- The `/api/v1/attachments/:chatflowId/:chatId` endpoint is listed in `WHITELIST_URLS`, allowing unauthenticated access to the file upload API.\n- While the server validates uploads based on the MIME types defined in `chatbotConfig.fullFileUpload.allowedUploadFileTypes`, it implicitly trusts the client-provided `Content-Type` header (`file.mimetype`) without verifying the file's actual content (magic bytes) or extension (`file.originalname`).\n- Consequently, an attacker can bypass this restriction by spoofing the `Content-Type` as a permitted type (e.g., `application/pdf`) while uploading malicious scripts or arbitrary files. Once uploaded via `addArrayFilesToStorage`, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE).\n\n**Vulnerable Code**\n\n- Upload Route Definition\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/attachments/index.ts#L7-L10\n \n ```tsx\n // CREATE\n router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment)\n export default router\n ```\n \n- Mount /api/v1/attachments to the global router\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/index.ts#L72-L77\n \n ```tsx\n const router = express.Router()\n router.use('/ping', pingRouter)\n router.use('/apikey', apikeyRouter)\n router.use('/assistants', assistantsRouter)\n router.use('/attachments', attachmentsRouter)\n ```\n \n- Include /api/v1/attachments in the WHITELIST_URLS list\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/constants.ts#L6-L26\n \n ```tsx\n export const WHITELIST_URLS = [\n '/api/v1/verify/apikey/',\n '/api/v1/chatflows/apikey/',\n '/api/v1/public-chatflows',\n '/api/v1/public-chatbotConfig',\n '/api/v1/public-executions',\n '/api/v1/prediction/',\n '/api/v1/vector/upsert/',\n '/api/v1/node-icon/',\n '/api/v1/components-credentials-icon/',\n '/api/v1/chatflows-streaming',\n '/api/v1/chatflows-uploads',\n '/api/v1/openai-assistants-file/download',\n '/api/v1/feedback',\n '/api/v1/leads',\n '/api/v1/get-upload-file',\n '/api/v1/ip',\n '/api/v1/ping',\n '/api/v1/version',\n '/api/v1/attachments',\n '/api/v1/metrics',\n ```\n \n- Bypass JWT validation if the URL is whitelisted\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/index.ts#L213-L228\n \n ```tsx\n const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : []\n const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url))\n const URL_CASE_INSENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//i\n const URL_CASE_SENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//\n \n await initializeJwtCookieMiddleware(this.app, this.identityManager)\n \n this.app.use(async (req, res, next) => {\n // Step 1: Check if the req path contains /api/v1 regardless of case\n if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {\n // Step 2: Check if the req path is casesensitive\n if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {\n // Step 3: Check if the req path is in the whitelist\n const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))\n if (isWhitelisted) {\n next()\n ```\n \n- Multer Configuration: Saves files without file type validation\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/index.ts#L1917-L1960\n \n ```tsx\n export const getUploadPath = (): string => {\n return process.env.BLOB_STORAGE_PATH\n ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')\n : path.join(getUserHome(), '.flowise', 'uploads')\n }\n \n export function generateId() {\n return uuidv4()\n }\n \n export const getMulterStorage = () => {\n const storageType = process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'\n \n if (storageType === 's3') {\n const s3Client = getS3Config().s3Client\n const Bucket = getS3Config().Bucket\n \n const upload = multer({\n storage: multerS3({\n s3: s3Client,\n bucket: Bucket,\n metadata: function (req, file, cb) {\n cb(null, { fieldName: file.fieldname, originalName: file.originalname })\n },\n key: function (req, file, cb) {\n cb(null, `${generateId()}`)\n }\n })\n })\n return upload\n } else if (storageType === 'gcs') {\n return multer({\n storage: new MulterGoogleCloudStorage({\n projectId: process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID,\n bucket: process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME,\n keyFilename: process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL,\n uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,\n destination: `uploads/${generateId()}`\n })\n })\n } else {\n return multer({ dest: getUploadPath() })\n }\n }\n ```\n \n- Transfers uploaded files to storage without verification\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/createAttachment.ts#L124-L158\n \n ```tsx\n const files = (req.files as Express.Multer.File[]) || []\n const fileAttachments = []\n if (files.length) {\n const isBase64 = req.body.base64\n for (const file of files) {\n if (!allowedFileTypes.length) {\n throw new InternalFlowiseError(\n StatusCodes.BAD_REQUEST,\n `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`\n )\n }\n \n // Validate file type against allowed types\n if (allowedFileTypes.length > 0 && !allowedFileTypes.includes(file.mimetype)) {\n throw new InternalFlowiseError(\n StatusCodes.BAD_REQUEST,\n `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`\n )\n }\n \n await checkStorage(orgId, subscriptionId, appServer.usageCacheManager)\n \n const fileBuffer = await getFileFromUpload(file.path ?? file.key)\n const fileNames: string[] = []\n // Address file name with special characters: https://github.com/expressjs/multer/issues/1104\n file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8')\n const { path: storagePath, totalSize } = await addArrayFilesToStorage(\n file.mimetype,\n fileBuffer,\n file.originalname,\n fileNames,\n orgId,\n chatflowid,\n chatId\n )\n ```\n \n\n### PoC\n\n---\n\n**PoC Description**\n \n- Create a local file named `shell.js` containing arbitrary JavaScript code (or a malicious payload).\n- Send a `multipart/form-data` request to the `/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/:chatId` endpoint without any authentication (login, session, or API keys).\n- During the upload, retain the filename as `shell.js` but spoof the `Content-Type` header as `application/pdf`.\n- This exploits the server's reliance solely on the client-provided `file.mimetype`, forcing it to process the malicious JS file as an allowed PDF, thereby confirming unauthenticated arbitrary file upload.\n\n**PoC**\n\n\n```bash\ncurl -X POST \\\n \"http://localhost:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)\" \\\n -F \"files=@shell.js;type=application/pdf\"\n```\n\n\n\n\n### Impact\n\n---\n\n**1. Root Cause**\nThe vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., `.js`, `.php`) or malicious scripts (`.html`) by masquerading them as benign images or documents.\n\n**2. Key Attack Scenarios**\n\n- **Server Compromise (RCE):** An attacker uploads a **Web Shell** and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.\n- **Client-Side Attack (Stored XSS):** An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.\n\n**3. Impact**\nThis vulnerability is rated as **High** severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-j8g8-j7fc-43v6.json?alt=media"
},
{
"category": "description",
"text": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.",
"title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-30821"
},
{
"category": "description",
"text": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.",
"title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-30821"
},
{
"category": "description",
"text": "### Vulnerability **Description**\n\n---\n\n**Vulnerability Overview**\n \n- The `/api/v1/attachments/:chatflowId/:chatId` endpoint is listed in `WHITELIST_URLS`, allowing unauthenticated access to the file upload API.\n- While the server validates uploads based on the MIME types defined in `chatbotConfig.fullFileUpload.allowedUploadFileTypes`, it implicitly trusts the client-provided `Content-Type` header (`file.mimetype`) without verifying the file's actual content (magic bytes) or extension (`file.originalname`).\n- Consequently, an attacker can bypass this restriction by spoofing the `Content-Type` as a permitted type (e.g., `application/pdf`) while uploading malicious scripts or arbitrary files. Once uploaded via `addArrayFilesToStorage`, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE).\n\n**Vulnerable Code**\n\n- Upload Route Definition\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/attachments/index.ts#L7-L10\n \n ```tsx\n // CREATE\n router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment)\n export default router\n ```\n \n- Mount /api/v1/attachments to the global router\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/index.ts#L72-L77\n \n ```tsx\n const router = express.Router()\n router.use('/ping', pingRouter)\n router.use('/apikey', apikeyRouter)\n router.use('/assistants', assistantsRouter)\n router.use('/attachments', attachmentsRouter)\n ```\n \n- Include /api/v1/attachments in the WHITELIST_URLS list\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/constants.ts#L6-L26\n \n ```tsx\n export const WHITELIST_URLS = [\n '/api/v1/verify/apikey/',\n '/api/v1/chatflows/apikey/',\n '/api/v1/public-chatflows',\n '/api/v1/public-chatbotConfig',\n '/api/v1/public-executions',\n '/api/v1/prediction/',\n '/api/v1/vector/upsert/',\n '/api/v1/node-icon/',\n '/api/v1/components-credentials-icon/',\n '/api/v1/chatflows-streaming',\n '/api/v1/chatflows-uploads',\n '/api/v1/openai-assistants-file/download',\n '/api/v1/feedback',\n '/api/v1/leads',\n '/api/v1/get-upload-file',\n '/api/v1/ip',\n '/api/v1/ping',\n '/api/v1/version',\n '/api/v1/attachments',\n '/api/v1/metrics',\n ```\n \n- Bypass JWT validation if the URL is whitelisted\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/index.ts#L213-L228\n \n ```tsx\n const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : []\n const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url))\n const URL_CASE_INSENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//i\n const URL_CASE_SENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//\n \n await initializeJwtCookieMiddleware(this.app, this.identityManager)\n \n this.app.use(async (req, res, next) => {\n // Step 1: Check if the req path contains /api/v1 regardless of case\n if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {\n // Step 2: Check if the req path is casesensitive\n if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {\n // Step 3: Check if the req path is in the whitelist\n const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))\n if (isWhitelisted) {\n next()\n ```\n \n- Multer Configuration: Saves files without file type validation\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/index.ts#L1917-L1960\n \n ```tsx\n export const getUploadPath = (): string => {\n return process.env.BLOB_STORAGE_PATH\n ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')\n : path.join(getUserHome(), '.flowise', 'uploads')\n }\n \n export function generateId() {\n return uuidv4()\n }\n \n export const getMulterStorage = () => {\n const storageType = process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'\n \n if (storageType === 's3') {\n const s3Client = getS3Config().s3Client\n const Bucket = getS3Config().Bucket\n \n const upload = multer({\n storage: multerS3({\n s3: s3Client,\n bucket: Bucket,\n metadata: function (req, file, cb) {\n cb(null, { fieldName: file.fieldname, originalName: file.originalname })\n },\n key: function (req, file, cb) {\n cb(null, `${generateId()}`)\n }\n })\n })\n return upload\n } else if (storageType === 'gcs') {\n return multer({\n storage: new MulterGoogleCloudStorage({\n projectId: process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID,\n bucket: process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME,\n keyFilename: process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL,\n uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,\n destination: `uploads/${generateId()}`\n })\n })\n } else {\n return multer({ dest: getUploadPath() })\n }\n }\n ```\n \n- Transfers uploaded files to storage without verification\n \n https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/createAttachment.ts#L124-L158\n \n ```tsx\n const files = (req.files as Express.Multer.File[]) || []\n const fileAttachments = []\n if (files.length) {\n const isBase64 = req.body.base64\n for (const file of files) {\n if (!allowedFileTypes.length) {\n throw new InternalFlowiseError(\n StatusCodes.BAD_REQUEST,\n `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`\n )\n }\n \n // Validate file type against allowed types\n if (allowedFileTypes.length > 0 && !allowedFileTypes.includes(file.mimetype)) {\n throw new InternalFlowiseError(\n StatusCodes.BAD_REQUEST,\n `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`\n )\n }\n \n await checkStorage(orgId, subscriptionId, appServer.usageCacheManager)\n \n const fileBuffer = await getFileFromUpload(file.path ?? file.key)\n const fileNames: string[] = []\n // Address file name with special characters: https://github.com/expressjs/multer/issues/1104\n file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8')\n const { path: storagePath, totalSize } = await addArrayFilesToStorage(\n file.mimetype,\n fileBuffer,\n file.originalname,\n fileNames,\n orgId,\n chatflowid,\n chatId\n )\n ```\n \n\n### PoC\n\n---\n\n**PoC Description**\n \n- Create a local file named `shell.js` containing arbitrary JavaScript code (or a malicious payload).\n- Send a `multipart/form-data` request to the `/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/:chatId` endpoint without any authentication (login, session, or API keys).\n- During the upload, retain the filename as `shell.js` but spoof the `Content-Type` header as `application/pdf`.\n- This exploits the server's reliance solely on the client-provided `file.mimetype`, forcing it to process the malicious JS file as an allowed PDF, thereby confirming unauthenticated arbitrary file upload.\n\n**PoC**\n\n\n```bash\ncurl -X POST \\\n \"http://localhost:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)\" \\\n -F \"files=@shell.js;type=application/pdf\"\n```\n\n\n\n\n### Impact\n\n---\n\n**1. Root Cause**\nThe vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., `.js`, `.php`) or malicious scripts (`.html`) by masquerading them as benign images or documents.\n\n**2. Key Attack Scenarios**\n\n- **Server Compromise (RCE):** An attacker uploads a **Web Shell** and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.\n- **Client-Side Attack (Stored XSS):** An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.\n\n**3. Impact**\nThis vulnerability is rated as **High** severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.",
"title": "github - https://api.github.com/advisories/GHSA-j8g8-j7fc-43v6"
},
{
"category": "other",
"text": "0.00129",
"title": "EPSS"
},
{
"category": "other",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
},
{
"category": "other",
"text": "8.2",
"title": "CVSSV4 base score"
},
{
"category": "other",
"text": "4.5",
"title": "NCSC Score"
},
{
"category": "other",
"text": "There is product data available from source Certbundde, The value of the most recent CVSS (V4) score",
"title": "NCSC Score top increasing factors"
},
{
"category": "other",
"text": "Is related to CWE-434 (Unrestricted Upload of File with Dangerous Type), There is exploit data available from source Nvd, Is related to (a version of) an uncommon product",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5766734",
"CSAFPID-5767907",
"CSAFPID-5768607"
]
},
"references": [
{
"category": "external",
"summary": "Source - certbundde",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0626.json"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://github.com/advisories/GHSA-j8g8-j7fc-43v6"
},
{
"category": "external",
"summary": "Source raw - github",
"url": "https://api.github.com/advisories/GHSA-j8g8-j7fc-43v6"
},
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-j8g8-j7fc-43v6.json?alt=media"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30821"
},
{
"category": "external",
"summary": "Source raw - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-30821"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30821"
},
{
"category": "external",
"summary": "Source raw - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/30xxx/CVE-2026-30821.json"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30821"
},
{
"category": "external",
"summary": "Source raw - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-j8g8-j7fc-43v6"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0626.json"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0626"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5f53-522j-j454"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cwc3-p92j-g7qm"
},
{
"category": "external",
"summary": "Reference - certbundde; cveprojectv5; github; nvd; osv",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jc5m-wrp2-qq38"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-mq4r-h2gh-qv7x"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x2g5-fvc2-gqvp"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-j8g8-j7fc-43v6"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv",
"url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
},
{
"category": "external",
"summary": "Reference - github; osv",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30821"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
},
"products": [
"CSAFPID-5766734",
"CSAFPID-5767907",
"CSAFPID-5768607"
]
}
],
"title": "CVE-2026-30821"
}
]
}