Description
Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.
Published: 2026-06-25
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowise contains a path traversal flaw in the /api/v1/document-store/loader/process API. An unauthenticated attacker can supply a fileName parameter with '../' sequences to write arbitrary files to the underlying filesystem. By overwriting critical files such as package.json, the attacker can force the application to restart with malicious code, achieving remote code execution once the service reloads.

Affected Systems

The Flowise Flowise platform is affected. No specific version data is listed, so all current releases are presumed vulnerable.

Risk and Exploitability

The vulnerability scores 10 on the CVSS scale, indicating the highest severity. The EPSS score is not available, but the absence of a KEV listing does not reduce the risk because the flaw allows unauthenticated writes to the filesystem, a classic server‑side path traversal. The likely attack vector is remote, via any unauthenticated HTTP request to the exposed API endpoint.

Generated by OpenCVE AI on June 25, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to a patched release that removes the path traversal vulnerability.
  • Configure the application to limit write operations to a safe directory or disable the /api/v1/document-store/loader/process endpoint entirely.
  • Implement authentication or network controls to block unauthenticated access to the vulnerable API endpoint.

Generated by OpenCVE AI on June 25, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.
Title Flowise - Arbitrary File Write to Remote Code Execution via document-store API
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-73
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-26T12:45:28.411Z

Reserved: 2026-06-20T01:48:36.756Z

Link: CVE-2025-71338

cve-icon Vulnrichment

Updated: 2026-06-26T12:45:13.575Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T03:45:16Z

Weaknesses
  • CWE-73

    External Control of File Name or Path