CVE-2026-12821
Received Received - Intake
Path Traversal in FlowiseAI Flowise Document Loader

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: VulDB

Description
A vulnerability was determined in FlowiseAI Flowise up to 3.1.2. The impacted element is an unknown function of the file packages/components/nodes/documentloaders/S3/S3.ts of the component S3 Document Loader. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-12821
EUVD
EUVD-2026-38202
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12821 is a path traversal vulnerability in FlowiseAI Flowise up to version 3.1.2, specifically in the S3 Document Loader component. The vulnerability occurs because the software uses S3 object keys, which can be controlled by an attacker, to create local temporary file paths without proper validation. This allows an attacker to include traversal sequences like "../" in the object keys to escape the intended temporary directory.

As a result, an attacker can write files arbitrarily on the local file system outside the designated temporary folder or affect recursive cleanup operations. This vulnerability can be exploited remotely and was demonstrated with a proof-of-concept that successfully wrote files outside the temporary directory.

The recommended fix involves normalizing object keys to safe basenames or rejecting traversal paths and enforcing path containment checks before performing file operations.

Impact Analysis

This vulnerability can allow an attacker to write or manipulate files anywhere on the local file system where the application has write permissions. This can lead to unauthorized file creation, modification, or deletion.

Potential impacts include corruption or deletion of important files, unauthorized code execution if malicious files are placed and executed, and disruption of normal application or system operations.

Because the attack can be launched remotely, it increases the risk of exploitation without requiring local access.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious S3 object keys containing path traversal sequences such as "../" that are used by the FlowiseAI S3 Document Loader. Detection involves checking if the application is processing or writing files outside the intended temporary directory.

One approach is to review logs or intercept network traffic to identify S3 object keys with traversal patterns.

Suggested commands include searching application logs or temporary directories for unexpected file paths or names:

  • grep -r '\.\./' /path/to/flowise/temp/
  • grep -r '\.\./' /var/log/flowise.log
  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture and filter S3 object key requests containing "../" sequences.
Mitigation Strategies

Immediate mitigation steps include normalizing or sanitizing S3 object keys to reject or remove any path traversal sequences before they are used to construct local file paths.

Specifically, enforce path containment checks to ensure that file operations do not escape the intended temporary directory.

If possible, apply patches or updates from the vendor; however, no public patches were identified at the time of discovery.

As a temporary workaround, restrict or monitor access to the vulnerable component and audit file system changes in the temporary directories used by Flowise.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12821. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart