GHSA-rh7v-6w34-w2rr: Flowise: File Upload Validation Bypass in createAttachment
highvulnerability
security
Source: GitHub Advisory DatabaseApril 16, 2026
Summary
FlowiseAI has a file upload validation bypass vulnerability in its Chatflow configuration where attackers can modify settings to allow the application/javascript MIME type (a file format label), enabling them to upload malicious .js (JavaScript) files even though the interface normally blocks them. These uploaded files can become persistent web shells (programs that let attackers run commands on the server), potentially leading to RCE (remote code execution, where an attacker can run arbitrary commands on the system).
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
LangChain
Affected Packages
flowise@<= 3.0.13 (fixed: 3.1.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-rh7v-6w34-w2rr
First tracked: April 17, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%