CVE-2025-26319

CriticalPublic PoC

Published: 04 March 2025

Published

04 March 2025

Modified

24 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8870 99.5th percentile

Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

Security Summary

CVE-2025-26319 is an arbitrary file upload vulnerability affecting FlowiseAI Flowise version 2.2.6, specifically in the /api/v1/attachments endpoint. This flaw, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type), allows attackers to upload malicious files without proper validation, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-03-04.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing attackers to upload and execute arbitrary files, such as webshells, leading to full server control.

Mitigation details are available in the referenced advisory at https://github.com/dorattias/CVE-2025-26319. Security practitioners should review this GitHub repository for patch information, workarounds, or upgrade guidance for Flowise v2.2.6.

FlowiseAI is a low-code platform for building LLM-based applications, making this vulnerability relevant to AI/ML deployments where exposed instances could be targeted for supply chain or runtime compromise. No public evidence of real-world exploitation has been reported as of publication.

Details

CWE(s): CWE-434

Affected Products

flowiseai

flowise

2.2.6

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: FlowiseAI is an open-source low-code platform for building and deploying customized LLM flows and AI agents/assistants using tools like LangchainJS, making it an enterprise-oriented AI assistant development tool.

MITRE ATT&CK Enterprise Techniques

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload in /api/v1/attachments enables exploitation of public-facing application (T1190), ingress of tools/malware (T1105), and deployment of web shells (T1505.003) for execution and persistence.

References

https://github.com/dorattias/CVE-2025-26319
Exploit, Patch, Third Party Advisory · cve@mitre.org
https://github.com/dorattias/CVE-2025-26319
Exploit, Patch, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0