Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8bbfadf6439d · 2026-03-06T18:49:55.000Z
GHSA-j8g8-j7fc-43v6 GHSA-m4h2-mjfm-mp55 GHSA-wvhq-wp8g-c7vq
diff --git a/advisories/github-reviewed/2026/03/GHSA-j8g8-j7fc-43v6/GHSA-j8g8-j7fc-43v6.json b/advisories/github-reviewed/2026/03/GHSA-j8g8-j7fc-43v6/GHSA-j8g8-j7fc-43v6.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j8g8-j7fc-43v6",
+  "modified": "2026-03-06T18:49:20Z",
+  "published": "2026-03-06T18:49:20Z",
+  "aliases": [
+    "CVE-2026-30821"
+  ],
+  "summary": "Flowise has Arbitrary File Upload via MIME Spoofing",
+  "details": "### Vulnerability **Description**\n\n---\n\n**Vulnerability Overview**\n \n- The `/api/v1/attachments/:chatflowId/:chatId` endpoint is listed in `WHITELIST_URLS`, allowing unauthenticated access to the file upload API.\n- While the server validates uploads based on the MIME types defined in `chatbotConfig.fullFileUpload.allowedUploadFileTypes`, it implicitly trusts the client-provided `Content-Type` header (`file.mimetype`) without verifying the file's actual content (magic bytes) or extension (`file.originalname`).\n- Consequently, an attacker can bypass this restriction by spoofing the `Content-Type` as a permitted type (e.g., `application/pdf`) while uploading malicious scripts or arbitrary files. Once uploaded via `addArrayFilesToStorage`, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE).\n\n**Vulnerable Code**\n\n- Upload Route Definition\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/attachments/index.ts#L7-L10\n    \n    ```tsx\n    // CREATE\n    router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment)\n    export default router\n    ```\n    \n- Mount /api/v1/attachments to the global router\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/index.ts#L72-L77\n    \n    ```tsx\n    const router = express.Router()\n    router.use('/ping', pingRouter)\n    router.use('/apikey', apikeyRouter)\n    router.use('/assistants', assistantsRouter)\n    router.use('/attachments', attachmentsRouter)\n    ```\n    \n- Include /api/v1/attachments in the WHITELIST_URLS list\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/constants.ts#L6-L26\n    \n    ```tsx\n    export const WHITELIST_URLS = [\n        '/api/v1/verify/apikey/',\n        '/api/v1/chatflows/apikey/',\n        '/api/v1/public-chatflows',\n        '/api/v1/public-chatbotConfig',\n        '/api/v1/public-executions',\n        '/api/v1/prediction/',\n        '/api/v1/vector/upsert/',\n        '/api/v1/node-icon/',\n        '/api/v1/components-credentials-icon/',\n        '/api/v1/chatflows-streaming',\n        '/api/v1/chatflows-uploads',\n        '/api/v1/openai-assistants-file/download',\n        '/api/v1/feedback',\n        '/api/v1/leads',\n        '/api/v1/get-upload-file',\n        '/api/v1/ip',\n        '/api/v1/ping',\n        '/api/v1/version',\n        '/api/v1/attachments',\n        '/api/v1/metrics',\n    ```\n    \n- Bypass JWT validation if the URL is whitelisted\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/index.ts#L213-L228\n    \n    ```tsx\n            const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : []\n            const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url))\n            const URL_CASE_INSENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//i\n            const URL_CASE_SENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//\n    \n            await initializeJwtCookieMiddleware(this.app, this.identityManager)\n    \n            this.app.use(async (req, res, next) => {\n                // Step 1: Check if the req path contains /api/v1 regardless of case\n                if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {\n                    // Step 2: Check if the req path is casesensitive\n                    if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {\n                        // Step 3: Check if the req path is in the whitelist\n                        const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))\n                        if (isWhitelisted) {\n                            next()\n    ```\n    \n- Multer Configuration: Saves files without file type validation\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/index.ts#L1917-L1960\n    \n    ```tsx\n    export const getUploadPath = (): string => {\n        return process.env.BLOB_STORAGE_PATH\n            ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')\n            : path.join(getUserHome(), '.flowise', 'uploads')\n    }\n    \n    export function generateId() {\n        return uuidv4()\n    }\n    \n    export const getMulterStorage = () => {\n        const storageType = process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'\n    \n        if (storageType === 's3') {\n            const s3Client = getS3Config().s3Client\n            const Bucket = getS3Config().Bucket\n    \n            const upload = multer({\n                storage: multerS3({\n                    s3: s3Client,\n                    bucket: Bucket,\n                    metadata: function (req, file, cb) {\n                        cb(null, { fieldName: file.fieldname, originalName: file.originalname })\n                    },\n                    key: function (req, file, cb) {\n                        cb(null, `${generateId()}`)\n                    }\n                })\n            })\n            return upload\n        } else if (storageType === 'gcs') {\n            return multer({\n                storage: new MulterGoogleCloudStorage({\n                    projectId: process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID,\n                    bucket: process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME,\n                    keyFilename: process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL,\n                    uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,\n                    destination: `uploads/${generateId()}`\n                })\n            })\n        } else {\n            return multer({ dest: getUploadPath() })\n        }\n    }\n    ```\n    \n- Transfers uploaded files to storage without verification\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/createAttachment.ts#L124-L158\n    \n    ```tsx\n        const files = (req.files as Express.Multer.File[]) || []\n        const fileAttachments = []\n        if (files.length) {\n            const isBase64 = req.body.base64\n            for (const file of files) {\n                if (!allowedFileTypes.length) {\n                    throw new InternalFlowiseError(\n                        StatusCodes.BAD_REQUEST,\n                        `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`\n                    )\n                }\n    \n                // Validate file type against allowed types\n                if (allowedFileTypes.length > 0 && !allowedFileTypes.includes(file.mimetype)) {\n                    throw new InternalFlowiseError(\n                        StatusCodes.BAD_REQUEST,\n                        `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`\n                    )\n                }\n    \n                await checkStorage(orgId, subscriptionId, appServer.usageCacheManager)\n    \n                const fileBuffer = await getFileFromUpload(file.path ?? file.key)\n                const fileNames: string[] = []\n                // Address file name with special characters: https://github.com/expressjs/multer/issues/1104\n                file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8')\n                const { path: storagePath, totalSize } = await addArrayFilesToStorage(\n                    file.mimetype,\n                    fileBuffer,\n                    file.originalname,\n                    fileNames,\n                    orgId,\n                    chatflowid,\n                    chatId\n                )\n    ```\n    \n\n### PoC\n\n---\n\n**PoC Description**\n \n- Create a local file named `shell.js` containing arbitrary JavaScript code (or a malicious payload).\n- Send a `multipart/form-data` request to the `/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/:chatId` endpoint without any authentication (login, session, or API keys).\n- During the upload, retain the filename as `shell.js` but spoof the `Content-Type` header as `application/pdf`.\n- This exploits the server's reliance solely on the client-provided `file.mimetype`, forcing it to process the malicious JS file as an allowed PDF, thereby confirming unauthenticated arbitrary file upload.\n\n**PoC**\n\n\n```bash\ncurl -X POST \\\n  \"http://localhost:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)\" \\\n  -F \"files=@shell.js;type=application/pdf\"\n```\n\n<img width=\"1916\" height=\"1011\" alt=\"image\" src=\"https://github.com/user-attachments/assets/45679d95-00b9-4bee-9c94-7bd9403554d5\" />\n\n\n### Impact\n\n---\n\n**1. Root Cause**\nThe vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., `.js`, `.php`) or malicious scripts (`.html`) by masquerading them as benign images or documents.\n\n**2. Key Attack Scenarios**\n\n- **Server Compromise (RCE):** An attacker uploads a **Web Shell** and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.\n- **Client-Side Attack (Stored XSS):** An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.\n\n**3. Impact**\nThis vulnerability is rated as **High** severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flowise"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/FlowiseAI/Flowise"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-06T18:49:20Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-m4h2-mjfm-mp55/GHSA-m4h2-mjfm-mp55.json b/advisories/github-reviewed/2026/03/GHSA-m4h2-mjfm-mp55/GHSA-m4h2-mjfm-mp55.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m4h2-mjfm-mp55",
+  "modified": "2026-03-06T18:47:52Z",
+  "published": "2026-03-06T18:47:52Z",
+  "aliases": [
+    "CVE-2026-30241"
+  ],
+  "summary": "Mercurius's queryDepth limit bypassed for WebSocket subscriptions",
+  "details": "## Description\n\nMercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event.\n\n## Workarounds\n\nDisable subscriptions and, in general, queries over the WebSocket.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "mercurius"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "16.8.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-m4h2-mjfm-mp55"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mercurius-js/mercurius/commit/5b56f60f4b0d60780b0ff499a479bd830bdd6986"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mercurius-js/mercurius"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-06T18:47:52Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-wvhq-wp8g-c7vq/GHSA-wvhq-wp8g-c7vq.json b/advisories/github-reviewed/2026/03/GHSA-wvhq-wp8g-c7vq/GHSA-wvhq-wp8g-c7vq.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wvhq-wp8g-c7vq",
+  "modified": "2026-03-06T18:48:22Z",
+  "published": "2026-03-06T18:48:22Z",
+  "aliases": [
+    "CVE-2026-30820"
+  ],
+  "summary": "Flowise has Authorization Bypass via Spoofed x-request-from Header",
+  "details": "### Summary\n\nFlowise trusts any HTTP client that sets the header `x-request-from: internal`, allowing an authenticated tenant session to bypass all `/api/v1/**` authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints (API key management, credential stores, custom function execution, etc.), effectively escalating privileges.\n\n### Details\n\nThe global middleware that guards `/api/v1` routes lives in `external/Flowise/packages/server/src/index.ts:214`. After filtering out the whitelist, the logic short-circuits on the spoofable header:\n\n```javascript\nif (isWhitelisted) {\n    next();\n} else if (req.headers['x-request-from'] === 'internal') {\n    verifyToken(req, res, next);\n} else {\n    const { isValid } = await validateAPIKey(req);\n    if (!isValid) return res.status(401).json({ error: 'Unauthorized Access' });\n    … // owner context stitched from API key\n}\n```\n\nBecause the middle branch blindly calls verifyToken, any tenant that already has a UI session cookie is treated as an internal client simply by adding that header. No additional permission checks are performed before `next()` executes, so every downstream router under `/api/v1` becomes reachable.\n\n### PoC\n\n1. Log into Flowise 3.0.8 and capture cookies (e.g., `curl -c /tmp/flowise_cookies.txt … /api/v1/auth/login`).\n2. Invoke an internal-only endpoint with the spoofed header:\n\n```bash\n    curl -sS -b /tmp/flowise_cookies.txt \\\n      -H 'Content-Type: application/json' \\\n      -H 'x-request-from: internal' \\\n      -X POST http://127.0.0.1:3100/api/v1/apikey \\\n      -d '{\"keyName\":\"Bypass Demo\"}'\n```\n    The server returns HTTP 200 and the newly created key object.\n3. Remove the header and retry:\n\n```bash\n    curl -sS -b /tmp/flowise_cookies.txt \\\n      -H 'Content-Type: application/json' \\\n      -X POST http://127.0.0.1:3100/api/v1/apikey \\\n      -d '{\"keyName\":\"Bypass Demo\"}'\n```\n    This yields {\"error\":\"Unauthorized Access\"}, confirming the header alone controls access.\n\nThe same spoof grants access to other privileged routes like `/api/v1/credentials`, `/api/v1/tools`, `/api/v1/node-custom-function`, etc.\n\n### Impact\n\nThis is an authorization bypass / privilege escalation. Any authenticated tenant (even without API keys or elevated roles) can execute internal administration APIs solely from the browser, enabling actions such as minting new API keys, harvesting stored secrets, and, when combined with other flaws (e.g., Custom Function RCE), full system compromise. All self-hosted Flowise 3.0.8 deployments that rely on the default middleware are affected.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flowise"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wvhq-wp8g-c7vq"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/FlowiseAI/Flowise"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-06T18:48:22Z",
+    "nvd_published_at": null
+  }
+}
