Flowise - SQL Injection in importChatflows API via chatflow.id Parameter | Advisories

Advisories

Flowise - SQL Injection in importChatflows API via chatflow.id Parameter

severity: medium
date: 6/24/2026
Affecting: Flowise <= 2.2.7
CVE: CVE-2025-71332
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS: 8.5
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References: GitHub Security Advisory (GHSA-9c4c-g95m-c8cp)
Credit: Tribal1012
Description: Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo