CVE-2026-30821 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any internet-facing Flowise instance running below v3.0.13 is fully compromised — unauthenticated attackers can upload arbitrary files by spoofing Content-Type headers, with a direct path to RCE when chained with Flowise's own file retrieval or static hosting features. Patch to 3.0.13 immediately; if patching is blocked, firewall the /api/v1/attachments endpoint at the perimeter and audit your file storage (S3/GCS/local) for unexpected non-document uploads. Treat any unpatched instance as a beachhead into your AI infrastructure.

Risk Assessment

Maximum operational risk. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means any network-reachable Flowise instance is trivially exploitable by an unskilled attacker using off-the-shelf tools. The endpoint is explicitly whitelisted from authentication controls, eliminating any default protective layer. Flowise is widely deployed in enterprise AI environments for LLM orchestration and chatbot workflows — the blast radius extends to any backend storage (S3, GCS, local disk) and any downstream system that retrieves or renders uploaded files. No evidence of active exploitation in CISA KEV at time of publication, but the simplicity of the attack and breadth of deployment makes weaponization timeline very short.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 41% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade to Flowise v3.0.13 immediately — this is the only complete fix.
NETWORK CONTROL

If patching is delayed, block unauthenticated access to /api/v1/attachments/* at the WAF or reverse proxy layer.
STORAGE AUDIT

Enumerate all files in your Flowise storage backend (S3 bucket, GCS bucket, or local upload directory) and flag any non-image/non-document MIME types (e.g., .php, .js, .html, .py, .sh). Remove suspicious files and rotate any credentials stored in Flowise flows.
DETECTION

Alert on POST requests to /api/v1/attachments with Content-Type mismatches (e.g., application/pdf with .php or .html extensions in the filename). Enable S3/GCS access logging and alert on new file writes with executable extensions.
ISOLATION

Ensure Flowise instances are not directly internet-facing unless business-required; place behind authenticated reverse proxy.
SECRET ROTATION

After patching, rotate all API keys (LLM providers, database, external services) stored in Flowise flow configurations as a precaution.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Framework RAG Plugin AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0074 - Masquerading AML.T0079 - Stage Capabilities

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI System Security — Input Validation A.8.1 - AI Risk Treatment — Access Control for AI Resources A.9.2 - Information security in AI system development

NIST AI RMF

GOVERN 1.2 - Accountability — Risk Management Policies MANAGE 2.2 - Mechanisms for AI risk treatment are in place MEASURE 2.5 - AI System Trustworthiness Testing — Security Properties

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling LLM07 - Insecure Plugin Design

Related AI Incidents (2)

AI Romance Apps Reportedly Compromise User Privacy for Data Harvesting

Feb 2024 Romantic AI, Replika, Genesia AI Friend & Partner, EVA AI Chat Bot & Soulmate, CrushOn.AI, Chai high confidence

Company "Chai" in CVE description; Company "Chai" in CVE description; Shared keyword: "chatbot"

AIID #636

Man Reportedly Committed Suicide Following Conversation with Chai Chatbot

Mar 2023 Chai high confidence

Company "Chai" in CVE description; Company "Chai" in CVE description; Shared keyword: "chatbot"

AIID #505

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-30821?

Any internet-facing Flowise instance running below v3.0.13 is fully compromised — unauthenticated attackers can upload arbitrary files by spoofing Content-Type headers, with a direct path to RCE when chained with Flowise's own file retrieval or static hosting features. Patch to 3.0.13 immediately; if patching is blocked, firewall the /api/v1/attachments endpoint at the perimeter and audit your file storage (S3/GCS/local) for unexpected non-document uploads. Treat any unpatched instance as a beachhead into your AI infrastructure.

Is CVE-2026-30821 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-30821, increasing the risk of exploitation.

How to fix CVE-2026-30821?

1. PATCH: Upgrade to Flowise v3.0.13 immediately — this is the only complete fix. 2. NETWORK CONTROL: If patching is delayed, block unauthenticated access to /api/v1/attachments/* at the WAF or reverse proxy layer. 3. STORAGE AUDIT: Enumerate all files in your Flowise storage backend (S3 bucket, GCS bucket, or local upload directory) and flag any non-image/non-document MIME types (e.g., .php, .js, .html, .py, .sh). Remove suspicious files and rotate any credentials stored in Flowise flows. 4. DETECTION: Alert on POST requests to /api/v1/attachments with Content-Type mismatches (e.g., application/pdf with .php or .html extensions in the filename). Enable S3/GCS access logging and alert on new file writes with executable extensions. 5. ISOLATION: Ensure Flowise instances are not directly internet-facing unless business-required; place behind authenticated reverse proxy. 6. SECRET ROTATION: After patching, rotate all API keys (LLM providers, database, external services) stored in Flowise flow configurations as a precaution.

What systems are affected by CVE-2026-30821?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow orchestration (Flowise-based), Agent frameworks, Chatbot deployments, RAG pipelines, No-code AI builders, Cloud storage backends (S3/GCS).

What is the CVSS score for CVE-2026-30821?

CVE-2026-30821 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.

Exploitation Scenario

An adversary scans for publicly accessible Flowise instances (trivially found via Shodan/Censys querying for Flowise's default port and UI fingerprint). They POST to /api/v1/attachments/{chatflowId}/{chatId} with a request body containing a PHP webshell payload (<?php system($_GET['cmd']); ?>), but set the Content-Type header to application/pdf. Flowise's validation sees application/pdf (an allowed type), stores the file as chatflowId_chatId_webshell.php in the configured backend. If storage is local disk with a web-accessible path, the attacker directly requests the file to trigger RCE. If using S3/GCS with public or semi-public bucket policies, the file is accessible externally and can be delivered as a malicious payload to downstream users. The attacker then achieves full host access, exfiltrating all LLM API keys, database credentials, and configured flow secrets — turning the Flowise node into a persistent foothold within the organization's AI infrastructure.