CVE-2025-71324
Received Received - Intake
Arbitrary File Read in Flowise AI Application

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed without the orgId is evaluated after the storage-directory containment check, allowing path traversal beyond the intended storage directory. Unauthenticated attackers can read sensitive files such as /root/.flowise/database.sqlite, exposing all database content in the default configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2025-71324
EUVD
EUVD-2025-210336
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flowise flowise to 3.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Flowise versions before 3.0.6 and involves an arbitrary file read issue. It occurs because the chatId parameter in the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints is not properly validated. The chatId value is passed to a function that constructs a file path without properly restricting it to the intended storage directory, allowing path traversal. This means an attacker can manipulate the chatId to access files outside the allowed directory.

Because of this, unauthenticated attackers can read sensitive files on the server, such as the database file located at /root/.flowise/database.sqlite, potentially exposing all database content if the default configuration is used.

Impact Analysis

This vulnerability can have serious impacts because it allows unauthenticated attackers to read arbitrary files on the server hosting Flowise. This can lead to exposure of sensitive information stored in files such as the database, which may contain confidential data.

The exposure of sensitive files can result in data breaches, loss of confidentiality, and potential further exploitation depending on the contents of the accessed files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart