CVE-2026-30821

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13

Description Flowise has a flaw where the /api/v1/attachments/:chatflowId/:chatId endpoint allows unauthenticated access to the file upload API because it is included in the WHITELIST URLS. The server trusts the client-provided Content-Type header without verifying the file's actual content or extension, allowing attackers to bypass file type restrictions by spoofing the Content-Type. Once uploaded via addArrayFilesToStorage, these files are stored in backend storage (S3, GCS, or local disk). This can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE) if chained with other features. The vulnerability is related to the improper handling of file uploads and the lack of content validation.

Recommendations Versions prior to 3.0.13 should be updated to version 3.0.13 or later.