CVE-2026-56273
Deferred Deferred - Pending Action

Path Traversal in Flowise Vector Store Implementations

Vulnerability report for CVE-2026-56273, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store implementations that accept unsanitized basePath parameters from authenticated users. Attackers with valid API tokens can write vector store data to arbitrary filesystem locations, potentially enabling code execution or data exfiltration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
flowiseai flowise to 3.1.0 (exc)
flowiseai flowise_components to 3.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56273 is a path traversal vulnerability in the FlowiseAI/Flowise project, specifically affecting the Faiss and SimpleStore vector store implementations.

The vulnerability occurs because these components accept a user-controlled basePath parameter from authenticated users and use it directly in filesystem write operations without proper sanitization.

An attacker with a valid API token and document store permissions can exploit this flaw to write vector store data to arbitrary locations on the server filesystem.

This can lead to overwriting existing files or executing malicious code if the data is written to web-accessible directories.

Impact Analysis

This vulnerability allows an authenticated attacker with valid API tokens to write data to arbitrary filesystem locations on the server.

The impact includes potential code execution if malicious files are written to executable or web-accessible directories.

Additionally, it could enable data exfiltration by overwriting or manipulating files on the server.

Detection Guidance

This vulnerability can be detected by monitoring for unusual filesystem write operations originating from the Flowise application, especially those involving the basePath parameter in the Faiss and SimpleStore vector store implementations.

Since the vulnerability involves path traversal via the basePath parameter, detection can include checking logs for API calls with suspicious basePath values containing directory traversal sequences (e.g., ../).

Commands to help detect exploitation attempts might include:

  • Using grep to find suspicious basePath usage in logs: grep -r "basePath" /path/to/flowise/logs | grep "..\/"
  • Monitoring filesystem changes for unexpected file writes, for example using inotifywait or auditd on Linux to watch directories where Flowise stores data.
  • Checking for new or modified files in unusual locations such as /tmp or web-accessible directories: find /tmp -type f -mtime -1

Additionally, reviewing API token usage for unusual activity or access patterns can help identify potential exploitation.

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise and flowise-components to version 3.1.0 or later, where the vulnerability has been patched.

Until the upgrade can be applied, restrict access to the API by limiting valid API tokens and permissions, especially those that allow document store write operations.

Monitor and audit API usage to detect and block suspicious requests attempting to exploit the basePath parameter.

Consider implementing additional input validation or sanitization on the basePath parameter if possible, to prevent directory traversal sequences.

Restrict filesystem permissions for the Flowise process to prevent writing to sensitive or web-accessible directories.

Compliance Impact

The vulnerability allows authenticated attackers to write data to arbitrary filesystem locations, potentially enabling code execution or data exfiltration.

Such unauthorized data access or exfiltration could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls over personal and sensitive data.

Therefore, exploitation of this vulnerability may compromise compliance with these standards by exposing sensitive data or allowing unauthorized system modifications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56273. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart