PatchSiren cyber security CVE debrief
CVE-2025-71334 Flowise CVE debrief
CVE-2025-71334 is a critical vulnerability in Flowise, a platform for building AI workflows. The vulnerability allows unauthenticated attackers to access and write arbitrary files due to missing validation of chatflowId and chatId parameters. This can lead to remote code execution. The vulnerability affects Flowise versions 2.2.8 and earlier, prior to 3.0.6. The CVSS score for this vulnerability is 9.3, indicating a critical severity. The vulnerability was published on June 25, 2026, and last modified on July 1, 2026.
- Vendor
- Flowise
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-07-01
Who should care
Organizations using Flowise for AI workflow management should prioritize patching this vulnerability. The vulnerability's critical severity and potential for remote code execution make it a high-risk issue. Security teams should ensure that Flowise instances are updated to version 3.0.6 or later.
Technical summary
The vulnerability in Flowise arises from a lack of validation for chatflowId and chatId parameters in file handling operations. Attackers can exploit this by providing path-traversal values to write arbitrary files via the /api/v1/chatflows endpoint and read arbitrary files via the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. This can lead to remote code execution. The vulnerability is characterized by a CVSS score of 9.3, indicating critical severity.
Defensive priority
High priority should be given to patching Flowise instances to prevent exploitation of this critical vulnerability. Security teams should verify that Flowise is updated to version 3.0.6 or later.
Recommended defensive actions
- Update Flowise to version 3.0.6 or later
- Verify validation of chatflowId and chatId parameters in file handling operations
- Monitor for suspicious activity on /api/v1/chatflows, /api/v1/get-upload-file, and /api/v1/openai-assistants-file/download endpoints
- Implement additional security measures to detect and prevent path-traversal attacks
- Review and update incident response plans to address potential remote code execution
Evidence notes
The vulnerability was reported by an unnamed source and is detailed in the NVD database. The CVE record and NVD detail pages provide additional information on the vulnerability. Vendor advisories and patches are available on the Flowise GitHub repository.
Official resources
-
CVE-2025-71334 CVE record
CVE.org
-
CVE-2025-71334 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
This article was generated with AI assistance based on the supplied source corpus.