GHSA-rh7v-6w34-w2rr: Flowise: File Upload Validation Bypass in createAttachment

April 16, 2026

In FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE).

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr
github.com/advisories/GHSA-rh7v-6w34-w2rr

Code Behaviors & Features

Detect and mitigate GHSA-rh7v-6w34-w2rr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →