Alphabetical characters and non-numerical symbol are inappropriately allowed as flow ID. There is potential for exploitation with characters such as '$' and '@'. Thus, flow IDs like 'abc', or '---' are accepted by restconf.

An example of a REST PUT call utilizing "---" as the flow ID that was accepted by the controller is shown below:

PUT http://<controller-ip>:8181/restconf/config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/--- d '<?xml version="1.0" encoding="UTF-8" standalone="no"?><flow xmlns="urn:opendaylight:flow:inventory"><hard-timeout>0</hard-timeout><idle-timeout>0</idle-timeout><priority>2</priority><flow-name>flow1</flow-name><match><ethernet-match><ethernet-type><type>2048</type></ethernet-type></ethernet-match><ipv4-destination>10.0.0.1/32</ipv4-destination></match><id>--</id><table_id>0</table_id><instructions><instruction><order>0</order><apply-actions><action><output-action><output-node-connector>1</output-node-connector></output-action><order>0</order></action></apply-actions></instruction></instructions></flow>'