CVE-2026-41269: Flowise unrestricted file upload

CISO Take

Flowise, the popular drag-and-drop LLM workflow builder, contains an unrestricted file upload vulnerability (CWE-434) that allows any low-privileged user to modify Chatflow MIME type settings and upload malicious Node.js web shells, achieving persistent Remote Code Execution on the host server. Once a shell is planted, attackers gain full access to stored LLM API keys, agent configurations, RAG data sources, and can pivot to any connected AI infrastructure. A public proof-of-concept exploit is available, SSVC rates this TRACK_STAR, and the EPSS score places it in the top 76th percentile for exploitation likelihood — making this trivially accessible to opportunistic attackers targeting AI infrastructure. Organizations running Flowise prior to 3.1.0 should upgrade immediately, audit their uploads directory for unexpected .js files, and restrict network exposure pending patch deployment.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.8 with network-accessible vector, low attack complexity, and only low privileges required combines with a public PoC to make this immediately actionable for attackers. Full CIA triad impact (C:H/I:H/A:H) means a successful exploit results in total server compromise. The 59 prior CVEs in the same package indicate a historically vulnerable codebase. Flowise instances exposed to the internet or to untrusted internal users are at critical risk; the persistent web shell mechanism makes detection and post-breach remediation significantly harder than typical RCE vulnerabilities.

How does the attack unfold?

Initial Access

Attacker authenticates to Flowise with low-privilege credentials obtained via credential stuffing, phishing, or account enumeration against the public-facing web interface.

AML.T0049

Configuration Manipulation

Attacker navigates to Chatflow configuration and modifies the file upload MIME type whitelist to add application/javascript, bypassing the frontend restriction.

AML.T0081

Web Shell Deployment

Attacker uploads a malicious .js Node.js web shell via the now-permitted file upload endpoint, persisting it on the server filesystem.

AML.T0079

Persistent RCE & Credential Theft

Attacker invokes the web shell via HTTP to execute arbitrary OS commands, exfiltrate stored LLM API keys and database credentials, and establish a reverse shell for persistent access.

AML.T0083

Initial Access

Attacker authenticates to Flowise with low-privilege credentials obtained via credential stuffing, phishing, or account enumeration against the public-facing web interface.

AML.T0049

Configuration Manipulation

Attacker navigates to Chatflow configuration and modifies the file upload MIME type whitelist to add application/javascript, bypassing the frontend restriction.

AML.T0081

Web Shell Deployment

Attacker uploads a malicious .js Node.js web shell via the now-permitted file upload endpoint, persisting it on the server filesystem.

AML.T0079

Persistent RCE & Credential Theft

Attacker invokes the web shell via HTTP to execute arbitrary OS commands, exfiltrate stored LLM API keys and database credentials, and establish a reverse shell for persistent access.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Upgrade to Flowise 3.1.0 immediately — this is the only complete fix.
Audit the Flowise uploads directory (typically ./uploads or configured storage path) for unexpected .js files; any found should be treated as indicators of compromise.
Rotate all LLM API keys, database credentials, and integration secrets stored in Flowise configurations as a precaution.
Restrict network access to Flowise instances via firewall rules — only allow access from trusted IP ranges.
Review Flowise user accounts and remove any unauthorized low-privilege accounts that could have been used for exploitation.
Monitor Node.js process trees on the host for unexpected child processes spawned from the Flowise process.
If immediate patching is not possible, disable file upload functionality in Flowise configuration as a temporary workaround.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Data Extraction Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell AML.T0079 - Stage Capabilities AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.5 - Security of AI systems A.8.2 - System and communications protection

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for secure AI development and deployment MANAGE 2.2 - Mechanisms are in place to manage AI risk

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-41269?

Flowise, the popular drag-and-drop LLM workflow builder, contains an unrestricted file upload vulnerability (CWE-434) that allows any low-privileged user to modify Chatflow MIME type settings and upload malicious Node.js web shells, achieving persistent Remote Code Execution on the host server. Once a shell is planted, attackers gain full access to stored LLM API keys, agent configurations, RAG data sources, and can pivot to any connected AI infrastructure. A public proof-of-concept exploit is available, SSVC rates this TRACK_STAR, and the EPSS score places it in the top 76th percentile for exploitation likelihood — making this trivially accessible to opportunistic attackers targeting AI infrastructure. Organizations running Flowise prior to 3.1.0 should upgrade immediately, audit their uploads directory for unexpected .js files, and restrict network exposure pending patch deployment.

Is CVE-2026-41269 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41269, increasing the risk of exploitation.

How to fix CVE-2026-41269?

1. Upgrade to Flowise 3.1.0 immediately — this is the only complete fix. 2. Audit the Flowise uploads directory (typically ./uploads or configured storage path) for unexpected .js files; any found should be treated as indicators of compromise. 3. Rotate all LLM API keys, database credentials, and integration secrets stored in Flowise configurations as a precaution. 4. Restrict network access to Flowise instances via firewall rules — only allow access from trusted IP ranges. 5. Review Flowise user accounts and remove any unauthorized low-privilege accounts that could have been used for exploitation. 6. Monitor Node.js process trees on the host for unexpected child processes spawned from the Flowise process. 7. If immediate patching is not possible, disable file upload functionality in Flowise configuration as a temporary workaround.

What systems are affected by CVE-2026-41269?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, AI orchestration platforms, RAG pipelines, multi-agent systems.

What is the CVSS score for CVE-2026-41269?

CVE-2026-41269 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.47%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow buildersAI orchestration platformsRAG pipelinesmulti-agent systems

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

AML.T0079 Stage Capabilities

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.5, A.8.2

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker obtains low-privilege credentials to a Flowise instance (via credential stuffing, phishing, or a previously compromised account) and navigates to the Chatflow configuration panel. They modify the allowed MIME types to include application/javascript, then upload a malicious .js file crafted as a Node.js web shell — for example, a script that spawns a reverse shell or executes arbitrary OS commands via child_process. The file persists on the server's filesystem and is accessible via HTTP. The attacker then makes HTTP requests to the uploaded shell to execute commands, extract /opt/flowise/.env for stored LLM API keys and database credentials, exfiltrate vector database contents from connected RAG systems, and establish a persistent backdoor. The SSVC TRACK_STAR rating and available PoC make this scenario realistic for any internet-exposed Flowise deployment.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type Primary

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

[Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
[Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.