CVE-2026-30821

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30821

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30821.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30821

Aliases

GHSA-j8g8-j7fc-43v6

Published

2026-03-07T05:07:50.067Z

Modified

2026-04-10T05:41:54.497393Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Flowise: Arbitrary File Upload via MIME Spoofing

Details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30821.json",
    "cwe_ids": [
        "CWE-434"
    ]
}

References

Affected packages

Git / github.com/flowiseai/flowise

Affected ranges

Type: GIT
Repo: https://github.com/flowiseai/flowise
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f0c1294173a55f26e0b972c39c0c16917f5ca9e7

Affected versions

flowise-components@1.*

flowise-components@1.0.0

flowise-components@1.1.0

flowise-components@1.1.1

flowise-components@1.2.1

flowise-components@1.2.10

flowise-components@1.2.12

flowise-components@1.2.14

flowise-components@1.2.15

flowise-components@1.2.16

flowise-components@1.2.17

flowise-components@1.2.2

flowise-components@1.2.3

flowise-components@1.2.4

flowise-components@1.2.5

flowise-components@1.2.6

flowise-components@1.2.7

flowise-components@1.2.8

flowise-components@1.2.9

flowise-components@1.3.0

flowise-components@1.3.1

flowise-components@1.3.10

flowise-components@1.3.11

flowise-components@1.3.2

flowise-components@1.3.3

flowise-components@1.3.4

flowise-components@1.3.5

flowise-components@1.3.7

flowise-components@1.3.8

flowise-components@1.3.9

flowise-components@1.4.0

flowise-components@1.4.1

flowise-components@1.4.2

flowise-components@1.4.6

flowise-components@1.4.7

flowise-components@1.4.8

flowise-components@1.4.9

flowise-components@1.5.0

flowise-components@1.5.1

flowise-components@1.5.2

flowise-components@1.5.3

flowise-components@1.6.0

flowise-components@1.6.1

flowise-components@1.6.2

flowise-components@1.6.3

flowise-components@1.6.4

flowise-components@1.6.5

flowise-components@1.6.6

flowise-components@1.6.7

flowise-components@1.6.8

flowise-components@1.7.0

flowise-components@1.7.1

flowise-components@1.7.2

flowise-components@1.8.0

flowise-components@1.8.1

flowise-components@1.8.3

flowise-components@1.8.4

flowise-components@1.8.6

flowise-components@2.*

flowise-components@2.0.2

flowise-components@2.0.3

flowise-components@2.0.4

flowise-components@2.0.5

flowise-components@2.0.6

flowise-components@2.0.7

flowise-components@2.1.0

flowise-components@2.1.1

flowise-components@2.1.2

flowise-components@2.1.3

flowise-components@2.1.4

flowise-components@2.1.5

flowise-components@2.2.0

flowise-components@2.2.1

flowise-components@2.2.2

flowise-components@2.2.3

flowise-components@2.2.4

flowise-components@2.2.5

flowise-components@2.2.6

flowise-components@2.2.7

flowise-components@2.2.7-patch.1

flowise-components@2.2.8

flowise-components@3.*

flowise-components@3.0.0

flowise-components@3.0.1

flowise-components@3.0.10

flowise-components@3.0.11

flowise-components@3.0.12

flowise-components@3.0.2

flowise-components@3.0.3

flowise-components@3.0.4

flowise-components@3.0.5

flowise-components@3.0.6

flowise-components@3.0.7

flowise-components@3.0.8

flowise-components@3.0.9

flowise-ui@1.*

flowise-ui@1.0.0

flowise-ui@1.1.0

flowise-ui@1.2.0

flowise-ui@1.2.1

flowise-ui@1.2.10

flowise-ui@1.2.12

flowise-ui@1.2.13

flowise-ui@1.2.14

flowise-ui@1.2.15

flowise-ui@1.2.2

flowise-ui@1.2.3

flowise-ui@1.2.4

flowise-ui@1.2.5

flowise-ui@1.2.6

flowise-ui@1.2.7

flowise-ui@1.3.0

flowise-ui@1.3.1

flowise-ui@1.3.2

flowise-ui@1.3.3

flowise-ui@1.3.4

flowise-ui@1.3.5

flowise-ui@1.3.6

flowise-ui@1.3.7

flowise-ui@1.4.0

flowise-ui@1.4.2

flowise-ui@1.4.3

flowise-ui@1.4.4

flowise-ui@1.4.5

flowise-ui@1.4.6

flowise-ui@1.4.7

flowise-ui@1.4.8

flowise-ui@1.4.9

flowise-ui@1.5.0

flowise-ui@1.5.1

flowise-ui@1.6.0

flowise-ui@1.6.1

flowise-ui@1.6.2

flowise-ui@1.6.3

flowise-ui@1.6.4

flowise-ui@1.6.5

flowise-ui@1.6.6

flowise-ui@1.7.0

flowise-ui@1.7.1

flowise-ui@1.7.2

flowise-ui@1.8.0

flowise-ui@1.8.1

flowise-ui@1.8.2

flowise-ui@1.8.3

flowise-ui@1.8.4

flowise-ui@2.*

flowise-ui@2.0.2

flowise-ui@2.0.3

flowise-ui@2.0.4

flowise-ui@2.0.5

flowise-ui@2.0.6

flowise-ui@2.0.7

flowise-ui@2.1.0

flowise-ui@2.1.1

flowise-ui@2.1.2

flowise-ui@2.1.3

flowise-ui@2.1.4

flowise-ui@2.1.5

flowise-ui@2.2.0

flowise-ui@2.2.1

flowise-ui@2.2.2

flowise-ui@2.2.3

flowise-ui@2.2.4

flowise-ui@2.2.5

flowise-ui@2.2.6

flowise-ui@2.2.7

flowise-ui@2.2.7-patch.1

flowise-ui@2.2.8

flowise-ui@3.*

flowise-ui@3.0.0

flowise-ui@3.0.1

flowise-ui@3.0.10

flowise-ui@3.0.11

flowise-ui@3.0.12

flowise-ui@3.0.2

flowise-ui@3.0.3

flowise-ui@3.0.4

flowise-ui@3.0.5

flowise-ui@3.0.6

flowise-ui@3.0.7

flowise-ui@3.0.8

flowise-ui@3.0.9

flowise@1.*

flowise@1.0.0

flowise@1.0.1

flowise@1.1.0

flowise@1.1.1

flowise@1.2.1

flowise@1.2.11

flowise@1.2.13

flowise@1.2.14

flowise@1.2.15

flowise@1.2.16

flowise@1.2.2

flowise@1.2.3

flowise@1.2.4

flowise@1.2.5

flowise@1.2.6

flowise@1.2.7

flowise@1.2.8

flowise@1.2.9

flowise@1.3.0

flowise@1.3.1

flowise@1.3.2

flowise@1.3.3

flowise@1.3.4

flowise@1.3.5

flowise@1.3.6

flowise@1.3.7

flowise@1.3.8

flowise@1.3.9

flowise@1.4.0

flowise@1.4.1

flowise@1.4.10

flowise@1.4.11

flowise@1.4.12

flowise@1.4.2

flowise@1.4.4

flowise@1.4.5

flowise@1.4.6

flowise@1.4.7

flowise@1.4.8

flowise@1.4.9

flowise@1.5.0

flowise@1.5.1

flowise@1.6.0

flowise@1.6.1

flowise@1.6.2

flowise@1.6.3

flowise@1.6.4

flowise@1.6.5

flowise@1.6.6

flowise@1.7.0

flowise@1.7.1

flowise@1.7.2

flowise@1.8.0

flowise@1.8.1

flowise@1.8.2

flowise@1.8.3

flowise@1.8.4

flowise@2.*

flowise@2.0.2

flowise@2.0.3

flowise@2.0.4

flowise@2.0.5

flowise@2.0.6

flowise@2.0.7

flowise@2.1.0

flowise@2.1.1

flowise@2.1.2

flowise@2.1.3

flowise@2.1.4

flowise@2.1.5

flowise@2.2.0

flowise@2.2.1

flowise@2.2.2

flowise@2.2.3

flowise@2.2.4

flowise@2.2.5

flowise@2.2.6

flowise@2.2.6-hotfix.1

flowise@2.2.7

flowise@2.2.7-patch.1

flowise@2.2.8

flowise@3.*

flowise@3.0.0

flowise@3.0.1

flowise@3.0.10

flowise@3.0.11

flowise@3.0.12

flowise@3.0.2

flowise@3.0.3

flowise@3.0.4

flowise@3.0.5

flowise@3.0.6

flowise@3.0.7

flowise@3.0.8

flowise@3.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30821.json"