CVE-2025-71324

HIGH 7.5

Flowise - Arbitrary File Read via chatId Parameter

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed without the orgId is evaluated after the storage-directory containment check, allowing path traversal beyond the intended storage directory. Unauthenticated attackers can read sensitive files such as /root/.flowise/database.sqlite, exposing all database content in the default configuration.

CWE	CWE-73
Vendor	flowise
Product	flowise
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for flowise flowise

Be the first to know when new high vulnerabilities affecting flowise flowise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Flowise / Flowise

0 < 3.0.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-99pg-hqvx-r4gf vulncheck.com: https://www.vulncheck.com/advisories/flowise-arbitrary-file-read-via-chatid-parameter

Credits

🔍 dwbzn