Cyber Resilience

CVE-2026-30821

HighPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1833 96.9th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-30821 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-30821 is an unrestricted file upload vulnerability (CWE-434) in Flowise, an open-source drag-and-drop user interface for building customized large language model flows. In versions prior to 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is whitelisted for unauthenticated access, enabling file uploads. Although the server checks MIME types against those defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it trusts the client-supplied Content-Type header (file.mimetype) without validating the file's actual content via magic bytes or its extension (file.originalname). This allows attackers to spoof permitted types, such as application/pdf, and upload malicious scripts or arbitrary files, which are then persisted in backend storage via addArrayFilesToStorage, including S3, GCS, or local disk.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables uploading arbitrary files that persist in storage, serving as an entry point for chained attacks such as Stored XSS via file retrieval features, malicious file hosting through static serving, or Remote Code Execution depending on the environment and subsequent interactions.

Flowise has addressed this issue in version 3.0.13. Security advisories recommend upgrading to this patched version to mitigate the vulnerability. Additional details are available in the GitHub security advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6 and release notes at https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates uploads…

more

based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname). Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE). This issue has been patched in version 3.0.13.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1608.001 Upload Malware Resource Development
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.
Why these techniques?

Unrestricted unauthenticated file upload in public-facing web app enables exploitation (T1190), web shell deployment via static serving (T1505.003), and malware staging in backend storage (T1608.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41269Same product: Flowiseai Flowise
CVE-2025-26319Same product: Flowiseai Flowise
CVE-2025-61687Same product: Flowiseai Flowise
CVE-2025-61913Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise
CVE-2026-41277Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2026-41270Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.0.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validating the actual content of uploaded files using magic bytes or similar checks to prevent bypassing MIME type restrictions via spoofing.

prevent

Enforces approved authorizations to block unauthenticated access to the whitelisted file upload endpoint.

prevent

Explicitly authorizes and limits specific actions like file uploads that are permitted without identification or authentication.

References