https://feed.craftedsignal.io/tags/flowiseai/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 17 Apr 2026 14:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-17-flowise-upload-bypass/Fri, 17 Apr 2026 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-17-flowise-upload-bypass/A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).FlowiseAI, a low-code platform for building AI applications, contains a file upload validation bypass vulnerability. By modifying the Chatflow configuration, specifically the allowedUploadFileTypes setting, an attacker can add application/javascript as an accepted MIME type. This bypasses previous mitigations (CVE-2025-61687) intended to prevent the upload of potentially malicious files. Although the frontend UI restricts JavaScript uploads, a direct API request can circumvent this. Successful exploitation allows attackers to persistently store Node.js web shells (e.g., shell.js) on the Flowise server. This vulnerability affects FlowiseAI versions up to 3.0.13. If executed, these web shells could grant the attacker Remote Code Execution (RCE) capabilities on the server, posing a significant risk to system integrity and data confidentiality.

Attack Chain

1. The attacker identifies a vulnerable FlowiseAI instance running a version <= 3.0.13.
2. The attacker authenticates to the FlowiseAI instance as an administrator or with compromised credentials.
3. The attacker crafts a malicious HTTP PUT request to the /api/v1/chatflows/{CHATFLOW_ID} endpoint.
4. The PUT request modifies the Chatflow configuration, specifically the chatbotConfig to include application/javascript in the allowedUploadFileTypes.
5. The attacker crafts a malicious HTTP POST request to the /api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID} endpoint to upload a .js file (Node.js web shell), such as the shell.js example.
6. The server saves the malicious .js file to a publicly accessible directory.
7. The attacker accesses the uploaded .js file via a direct HTTP request.
8. The web shell executes commands specified in the URL parameters, such as http://localhost:8888/?cmd=id, resulting in RCE.

Impact

Successful exploitation of this vulnerability allows attackers to upload and persistently store malicious web shells on the FlowiseAI server. Execution of these web shells grants the attacker the ability to execute arbitrary commands on the underlying system. This can lead to complete system compromise, data exfiltration, and denial of service. This vulnerability affects FlowiseAI versions up to 3.0.13.

Recommendation

• Apply appropriate input validation and sanitization to prevent modification of allowedUploadFileTypes settings.
• Monitor network traffic for PUT requests to /api/v1/chatflows/{CHATFLOW_ID} modifying allowedUploadFileTypes as described in the attack chain.
• Monitor for POST requests to /api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID} uploading .js files based on the attack chain.
• Deploy the Sigma rules provided below to detect suspicious HTTP requests indicative of this attack.

]]>criticaladvisoryflowiseaifile-uploadrceweb-shellhttps://feed.craftedsignal.io/briefs/2024-01-flowise-rce/Thu, 16 Apr 2026 21:43:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-flowise-rce/A remote code execution vulnerability exists in FlowiseAI's AirtableAgent.ts due to insufficient input verification when using Pandas, allowing attackers to inject malicious code into the prompt and execute arbitrary code via Pyodide.FlowiseAI is susceptible to a remote code execution (RCE) vulnerability within the AirtableAgent function. This function, designed to retrieve and process datasets from Airtable.com, is flawed due to the lack of input sanitization. Specifically, user-supplied input is directly incorporated into a prompt template, which is then used to generate Python code executed by Pyodide. By injecting malicious payloads into the prompt, an attacker can bypass the intended behavior of the language model and execute arbitrary Python code, leading to complete system compromise. The vulnerability resides in AirtableAgent.ts and is triggered when the input variable, containing user-supplied data, is passed to the LLMChain without proper validation.

Attack Chain

1. An attacker crafts a malicious payload containing a prompt injection designed to execute arbitrary code.
2. The attacker submits the crafted payload via the FlowiseAI application to the AirtableAgent function.
3. The payload is passed into the input variable without sanitization and incorporated into the prompt template within systemPrompt.
4. The LLMChain uses the crafted prompt, including the injected code, to generate a pythonCode string.
5. The generated pythonCode string, containing the malicious code, is passed to the pyodide.runPythonAsync() function.
6. Pyodide executes the malicious Python code, leading to remote code execution on the FlowiseAI server.
7. The attacker gains control of the FlowiseAI instance, potentially accessing sensitive data or pivoting to other systems on the network.

Impact

Successful exploitation of this vulnerability allows for complete remote code execution on the FlowiseAI server. This could lead to the compromise of sensitive data stored within Airtable datasets, as well as the potential for lateral movement to other systems on the network. The lack of input validation opens the door to attackers using prompt injection to bypass security measures and gain unauthorized access.

Recommendation

• Apply input sanitization and validation to the input variable within the AirtableAgent function in AirtableAgent.ts before it is incorporated into the prompt template.
• Implement strict output filtering on the pythonCode generated by the LLMChain to prevent the execution of potentially malicious code.
• Deploy the Sigma rule to detect prompt injection attempts targeting the AirtableAgent function.
• Regularly audit and update FlowiseAI dependencies, including Pyodide and Pandas, to address any known security vulnerabilities.

]]>criticaladvisoryflowiseairceprompt-injectionairtable