PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71334 Flowise CVE debrief

CVE-2025-71334 is a critical vulnerability in Flowise, a platform for building AI workflows. The vulnerability allows unauthenticated attackers to access and write arbitrary files due to missing validation of chatflowId and chatId parameters. This can lead to remote code execution. The vulnerability affects Flowise versions 2.2.8 and earlier, prior to 3.0.6. The CVSS score for this vulnerability is 9.3, indicating a critical severity. The vulnerability was published on June 25, 2026, and last modified on July 1, 2026.

Vendor
Flowise
Product
Unknown
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-07-01
Advisory published
2026-06-25
Advisory updated
2026-07-01

Who should care

Organizations using Flowise for AI workflow management should prioritize patching this vulnerability. The vulnerability's critical severity and potential for remote code execution make it a high-risk issue. Security teams should ensure that Flowise instances are updated to version 3.0.6 or later.

Technical summary

The vulnerability in Flowise arises from a lack of validation for chatflowId and chatId parameters in file handling operations. Attackers can exploit this by providing path-traversal values to write arbitrary files via the /api/v1/chatflows endpoint and read arbitrary files via the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. This can lead to remote code execution. The vulnerability is characterized by a CVSS score of 9.3, indicating critical severity.

Defensive priority

High priority should be given to patching Flowise instances to prevent exploitation of this critical vulnerability. Security teams should verify that Flowise is updated to version 3.0.6 or later.

Recommended defensive actions

  • Update Flowise to version 3.0.6 or later
  • Verify validation of chatflowId and chatId parameters in file handling operations
  • Monitor for suspicious activity on /api/v1/chatflows, /api/v1/get-upload-file, and /api/v1/openai-assistants-file/download endpoints
  • Implement additional security measures to detect and prevent path-traversal attacks
  • Review and update incident response plans to address potential remote code execution

Evidence notes

The vulnerability was reported by an unnamed source and is detailed in the NVD database. The CVE record and NVD detail pages provide additional information on the vulnerability. Vendor advisories and patches are available on the Flowise GitHub repository.

Official resources

This article was generated with AI assistance based on the supplied source corpus.