CVE-2026-12821 | A vulnerability was determined in FlowiseAI Flowise up to 3.… | CVSS 6.3 MEDIUM

Description

A vulnerability was determined in FlowiseAI Flowise up to 3.1.2. The impacted element is an unknown function of the file packages/components/nodes/documentloaders/S3/S3.ts of the component S3 Document Loader. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

CVE ID: CVE-2026-12821
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-21 13:10 UTC
Published: 2026-06-21 23:15 UTC
Last updated: 2026-06-21 23:15 UTC
Primary CWE: CWE-22
Path Traversal
Vendor / Product: FlowiseAI / Flowise
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Affected products (1)

Vendor	Product	Platform	Versions
FlowiseAI	Flowise	—	3.1.0, 3.1.1, 3.1.2

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	Path Traversal

CVSS scores (4)

Score	Severity	Version	Source	Vector
6.5	N/D	2.0	cna	AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
6.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
6.3	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

References (5)

VDB-372611 | FlowiseAI Flowise S3 Document Loader S3.ts path traversal https://vuldb.com/vuln/372611
VDB-372611 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/372611/cti
CVE-2026-12821 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-12821
Submit #837578 | FlowiseAI/Flowise - `packages/components/nodes/documentloaders/S3/S3.ts` - `S3Directory / S3File document loader temporary-file handling` 3.1.2 Path Traversal / Arbitrary Local File Write / Unsafe Cleanup https://vuldb.com/submit/837578
https://github.com/dxz0069/softwareoverflow/blob/main/flowise_s3_loader_object_key_path_traversal_vulndb.md