GHSA-j8g8-j7fc-43v6: Flowise has Arbitrary File Upload via MIME Spoofing
highvulnerability
security
Summary
Flowise has a file upload vulnerability where the server only checks the `Content-Type` header (MIME type spoofing, pretending a file is one type when it's actually another) that users provide, instead of verifying what the file actually contains. Because the upload endpoint is whitelisted (allowed without authentication), an attacker can upload malicious files by claiming they're safe types like PDFs, leading to stored attacks or remote code execution (RCE, where attackers run commands on the server).
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
integrityavailability
Affected Vendors
LangChain
Affected Packages
flowise@<= 3.0.12 (fixed: 3.0.13)
Related Issues
Original source: https://github.com/advisories/GHSA-j8g8-j7fc-43v6
First tracked: March 6, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 95%