CVE-2026-30821: flowise: Arbitrary File Upload enables RCE

CRITICAL PoC AVAILABLE CISA: TRACK*

Published March 7, 2026

CISO Take

Any internet-facing Flowise instance running below v3.0.13 is fully compromised — unauthenticated attackers can upload arbitrary files by spoofing Content-Type headers, with a direct path to RCE when chained with Flowise's own file retrieval or static hosting features. Patch to 3.0.13 immediately; if patching is blocked, firewall the /api/v1/attachments endpoint at the perimeter and audit your file storage (S3/GCS/local) for unexpected non-document uploads. Treat any unpatched instance as a beachhead into your AI infrastructure.

What is the risk?

Maximum operational risk. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means any network-reachable Flowise instance is trivially exploitable by an unskilled attacker using off-the-shelf tools. The endpoint is explicitly whitelisted from authentication controls, eliminating any default protective layer. Flowise is widely deployed in enterprise AI environments for LLM orchestration and chatbot workflows — the blast radius extends to any backend storage (S3, GCS, local disk) and any downstream system that retrieves or renders uploaded files. No evidence of active exploitation in CISA KEV at time of publication, but the simplicity of the attack and breadth of deployment makes weaponization timeline very short.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

18.3%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 18%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade to Flowise v3.0.13 immediately — this is the only complete fix.
NETWORK CONTROL

If patching is delayed, block unauthenticated access to /api/v1/attachments/* at the WAF or reverse proxy layer.
STORAGE AUDIT

Enumerate all files in your Flowise storage backend (S3 bucket, GCS bucket, or local upload directory) and flag any non-image/non-document MIME types (e.g., .php, .js, .html, .py, .sh). Remove suspicious files and rotate any credentials stored in Flowise flows.
DETECTION

Alert on POST requests to /api/v1/attachments with Content-Type mismatches (e.g., application/pdf with .php or .html extensions in the filename). Enable S3/GCS access logging and alert on new file writes with executable extensions.
ISOLATION

Ensure Flowise instances are not directly internet-facing unless business-required; place behind authenticated reverse proxy.
SECRET ROTATION

After patching, rotate all API keys (LLM providers, database, external services) stored in Flowise flow configurations as a precaution.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Framework RAG Plugin AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0074 - Masquerading AML.T0079 - Stage Capabilities

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI System Security — Input Validation A.8.1 - AI Risk Treatment — Access Control for AI Resources A.9.2 - Information security in AI system development

NIST AI RMF

GOVERN 1.2 - Accountability — Risk Management Policies MANAGE 2.2 - Mechanisms for AI risk treatment are in place MEASURE 2.5 - AI System Trustworthiness Testing — Security Properties

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-30821?

Is CVE-2026-30821 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-30821, increasing the risk of exploitation.

How to fix CVE-2026-30821?

1. PATCH: Upgrade to Flowise v3.0.13 immediately — this is the only complete fix. 2. NETWORK CONTROL: If patching is delayed, block unauthenticated access to /api/v1/attachments/* at the WAF or reverse proxy layer. 3. STORAGE AUDIT: Enumerate all files in your Flowise storage backend (S3 bucket, GCS bucket, or local upload directory) and flag any non-image/non-document MIME types (e.g., .php, .js, .html, .py, .sh). Remove suspicious files and rotate any credentials stored in Flowise flows. 4. DETECTION: Alert on POST requests to /api/v1/attachments with Content-Type mismatches (e.g., application/pdf with .php or .html extensions in the filename). Enable S3/GCS access logging and alert on new file writes with executable extensions. 5. ISOLATION: Ensure Flowise instances are not directly internet-facing unless business-required; place behind authenticated reverse proxy. 6. SECRET ROTATION: After patching, rotate all API keys (LLM providers, database, external services) stored in Flowise flow configurations as a precaution.

What systems are affected by CVE-2026-30821?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow orchestration (Flowise-based), Agent frameworks, Chatbot deployments, RAG pipelines, No-code AI builders, Cloud storage backends (S3/GCS).

What is the CVSS score for CVE-2026-30821?

CVE-2026-30821 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 18.33%.

What is the AI security impact?

Affected AI Architectures

LLM workflow orchestration (Flowise-based)Agent frameworksChatbot deploymentsRAG pipelinesNo-code AI buildersCloud storage backends (S3/GCS)

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0051.001 Indirect

AML.T0055 Unsecured Credentials

AML.T0072 Reverse Shell

AML.T0074 Masquerading

AML.T0079 Stage Capabilities

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2.6, A.8.1, A.9.2

NIST AI RMF: GOVERN 1.2, MANAGE 2.2, MEASURE 2.5

OWASP LLM Top 10: LLM02, LLM03:2025, LLM05:2025, LLM07

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.

Exploitation Scenario

An adversary scans for publicly accessible Flowise instances (trivially found via Shodan/Censys querying for Flowise's default port and UI fingerprint). They POST to /api/v1/attachments/{chatflowId}/{chatId} with a request body containing a PHP webshell payload (<?php system($_GET['cmd']); ?>), but set the Content-Type header to application/pdf. Flowise's validation sees application/pdf (an allowed type), stores the file as chatflowId_chatId_webshell.php in the configured backend. If storage is local disk with a web-accessible path, the attacker directly requests the file to trigger RCE. If using S3/GCS with public or semi-public bucket policies, the file is accessible externally and can be delivered as a malicious payload to downstream users. The attacker then achieves full host access, exfiltrating all LLM API keys, database credentials, and configured flow secrets — turning the Flowise node into a persistent foothold within the organization's AI infrastructure.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type Primary

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

[Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
[Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.