Incomplete List of Disallowed Inputs Affecting flowise-components package, versions <3.1.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-FLOWISECOMPONENTS-16725773
- published17 May 2026
- disclosed14 May 2026
- creditcn-panda
Introduced: 14 May 2026
New CVE NOT AVAILABLE CWE-184 (opens in a new tab)How to fix?
Upgrade flowise-components to version 3.1.2 or higher.
Overview
flowise-components is a Flowiseai Components
Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the server by bypassing command flag blacklists and local file access restrictions through crafted arguments to the MCP interface. This is only exploitable if the attacker has an account or API access with view and update permissions for chatflows, and the deployment environment has the required commands (such as docker or npx) available.