Listen to this Post
How the CVE Works
CVE-2025-26319 exploits an insecure file upload mechanism in FlowiseAI Flowise v2.2.6. The vulnerability resides in the `/api/v1/attachments` endpoint, which fails to properly validate user-uploaded files. Attackers can bypass file type checks and upload malicious files (e.g., webshells) to the server, leading to remote code execution (RCE). The lack of proper sanitization allows arbitrary file uploads, enabling attackers to compromise the host system.
DailyCVE Form
Platform: FlowiseAI Flowise
Version: v2.2.6
Vulnerability: Arbitrary File Upload
Severity: Critical
Date: 06/23/2025
Prediction: Patch by 07/15/2025
What Undercode Say
curl -X POST -F "[email protected]" http://target/api/v1/attachments
import requests
requests.post("http://target/api/v1/attachments", files={"file": open("exploit.php", "rb")})
How Exploit
1. Craft a malicious file (e.g., PHP webshell).
2. Upload via `/api/v1/attachments`.
3. Execute code on the server.
Protection from this CVE
1. Disable `/api/v1/attachments`.
2. Implement file type validation.
3. Restrict upload permissions.
Impact
- Remote Code Execution (RCE).
- Full system compromise.
- Data exfiltration.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
