Flowise RCE via Malicious JavaScript Uploads

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-434
Flowise RCE via Malicious JavaScript Uploads

The National Vulnerability Database has disclosed CVE-2026-41269, a high-severity vulnerability (CVSS 7.1) affecting Flowise, a drag-and-drop UI for building custom large language model flows. Prior to version 3.1.0, Flowise allowed modification of Chatflow configuration file upload settings to accept application/javascript MIME types. This bypasses frontend restrictions and permits attackers to upload .js files.

This flaw enables threat actors to persistently store malicious Node.js web shells on the server. The National Vulnerability Database indicates this can lead to Remote Code Execution (RCE), giving attackers full control over the compromised system. The vulnerability is tracked as CWE-434, a common weakness involving unrestricted upload of dangerous file types.

For defenders, this is a critical supply chain risk. An RCE in a tool like Flowise, often used for AI/ML development, can lead to data exfiltration, system compromise, and further lateral movement within an environment. Patching is the only viable defense here.

What This Means For You

  • If your organization uses Flowise, you need to immediately verify your version. If it's prior to 3.1.0, patch to 3.1.0 or newer *right now*. Then, audit your Flowise server for any suspicious `.js` files in upload directories and review logs for unauthorized file uploads or unusual server activity.
🛡️ Am I exposed to this? Get detection rules for CVE-2026-41269 — Splunk, Sentinel, Elastic, QRadar & more

Related ATT&CK Techniques

T1505.003 Server Software Component Persistence T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41269 - Flowise Malicious JavaScript Upload

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41269 RCE Flowise versions prior to 3.1.0
CVE-2026-41269 RCE Chatflow configuration file upload settings allowing application/javascript MIME type
CVE-2026-41269 RCE Upload of .js files to store malicious Node.js web shells

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 23, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6732 — Libxml2 Denial of Service

CVE-2026-6732 — A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-843
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

OpenShell Mirror Mode Allows Arbitrary Code Execution

CVE-2026-41355 — OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror...

vulnerabilityCVEhigh-severitycode-executioncwe-829
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma

OpenClaw: High-Severity Access Control Bypass Looms

CVE-2026-41353 — OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile...

vulnerabilityCVEhigh-severitycwe-472
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma