AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-36420: Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, th

highvulnerability

security

Source: NVD/CVE DatabaseJuly 1, 2024CVE-2024-36420

Summary

Flowise version 1.4.3 has a vulnerability in its `/api/v1/openai-assistants-file` endpoint that allows arbitrary file read attacks (reading files on a system without permission) because the `fileName` parameter is not properly sanitized (cleaned of malicious input). This is caused by improper input validation, which is a common security weakness in software.

Vulnerability Details

CVSS Score

7.5(high)

EPSS (30-day exploit probability)

EPSS: 0.3%

Classification

Attack Type

Data Extraction

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-74 CWE-74

Affected Vendors

LangChain

Related Issues

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendorNVD/CVE Database

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

First tracked: February 15, 2026 at 08:53 PM

Classified by LLM (prompt v3) · confidence: 95%