CVE-2026-41269: CWE-434: Unrestricted Upload of File with Dangerous Type in FlowiseAI Flowise
FlowiseAI Flowise versions prior to 3. 1. 0 contain a vulnerability that allows unrestricted upload of JavaScript files by modifying the Chatflow configuration file upload settings. This enables attackers to upload malicious Node. js web shells to the server, potentially leading to remote code execution. The vulnerability is identified as CWE-434 and has a CVSS score of 7. 1, indicating high severity. A fix for this issue is available in version 3. 1. 0.
AI Analysis
Technical Summary
The vulnerability in FlowiseAI Flowise (CVE-2026-41269) involves unrestricted file upload due to improper validation of MIME types in the Chatflow configuration file upload settings. Prior to version 3.1.0, attackers can modify settings to allow uploads of application/javascript MIME type files, which are normally blocked by the frontend. This allows malicious .js files to be persistently stored on the server, potentially enabling remote code execution via Node.js web shells. The issue is addressed in Flowise version 3.1.0.
Potential Impact
Successful exploitation allows attackers with at least low privileges to upload malicious JavaScript files, leading to persistent server-side code execution capabilities. This can result in unauthorized code execution on the server, compromising confidentiality and integrity. The CVSS vector indicates network attack vector, low attack complexity, no user interaction, and partial confidentiality loss with high integrity impact.
Mitigation Recommendations
Upgrade Flowise to version 3.1.0 or later, where this vulnerability is fixed. Since this is a self-hosted product, administrators must apply the update manually. Patch status is not explicitly stated in vendor advisories but the description confirms the fix in 3.1.0. Until upgraded, restrict access to the file upload functionality to trusted users only.
CVE-2026-41269: CWE-434: Unrestricted Upload of File with Dangerous Type in FlowiseAI Flowise
Description
FlowiseAI Flowise versions prior to 3. 1. 0 contain a vulnerability that allows unrestricted upload of JavaScript files by modifying the Chatflow configuration file upload settings. This enables attackers to upload malicious Node. js web shells to the server, potentially leading to remote code execution. The vulnerability is identified as CWE-434 and has a CVSS score of 7. 1, indicating high severity. A fix for this issue is available in version 3. 1. 0.
CVSS v3.1
Score 7.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in FlowiseAI Flowise (CVE-2026-41269) involves unrestricted file upload due to improper validation of MIME types in the Chatflow configuration file upload settings. Prior to version 3.1.0, attackers can modify settings to allow uploads of application/javascript MIME type files, which are normally blocked by the frontend. This allows malicious .js files to be persistently stored on the server, potentially enabling remote code execution via Node.js web shells. The issue is addressed in Flowise version 3.1.0.
Potential Impact
Successful exploitation allows attackers with at least low privileges to upload malicious JavaScript files, leading to persistent server-side code execution capabilities. This can result in unauthorized code execution on the server, compromising confidentiality and integrity. The CVSS vector indicates network attack vector, low attack complexity, no user interaction, and partial confidentiality loss with high integrity impact.
Mitigation Recommendations
Upgrade Flowise to version 3.1.0 or later, where this vulnerability is fixed. Since this is a self-hosted product, administrators must apply the update manually. Patch status is not explicitly stated in vendor advisories but the description confirms the fix in 3.1.0. Until upgraded, restrict access to the file upload functionality to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T14:01:46.801Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ea782987115cfb6850f82d
Added to database: 4/23/2026, 7:51:05 PM
Last enriched: 5/1/2026, 8:44:21 PM
Last updated: 6/8/2026, 2:05:18 AM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.