CVE-2026-43995
CriticalSummary
Flowise is a drag & drop user interface to build customized large language model flows. In versions prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients, creating a security vulnerability.
Risk Assessment
Using unsecured HTTP clients may lead to unauthorized data access and man-in-the-middle attacks, jeopardizing the integrity and confidentiality of information.
Recommendation
It is recommended to upgrade to version 3.1.0 to utilize the secured wrapper and minimize the risks associated with this vulnerability.
Original NVD description (English source)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.

