An unauthenticated arbitrary file upload vulnerability in Flowise allows remote attackers to execute malicious code, leading to total server compromise.

This vulnerability involves a lack of input validation within the /api/v1/attachments endpoint. An unauthenticated attacker can exploit path traversal via chatId and chatflowId parameters to upload files to unauthorized directories.

The ability to upload arbitrary files to a server facilitates Remote Code Execution (RCE), which grants an attacker full control over the application environment. Given the CVSS score of 9.3, this flaw poses a severe risk of data exfiltration, service disruption, and lateral movement within the corporate network.

Immediate Action: Upgrade Flowise to the latest patched version immediately to remediate the vulnerable file upload logic.

Proactive Monitoring: Monitor server logs for suspicious POST requests to /api/v1/attachments and inspect file system directories for unexpected executable files or non-standard file types.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../) in the chatId or chatflowId parameters.

Public Exploit Available: N/A

This is a critical vulnerability that provides an unauthenticated vector for full system compromise. Organizations running affected versions of Flowise must prioritize the application of vendor-supplied patches to eliminate this remote code execution risk.