CVE-2026-41269: Flowise: File Upload Validation Bypass in createAttachment

April 16, 2026 (updated April 24, 2026)

In FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE).

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr
github.com/advisories/GHSA-rh7v-6w34-w2rr
nvd.nist.gov/vuln/detail/CVE-2026-41269

Code Behaviors & Features

Detect and mitigate CVE-2026-41269 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →