CVE Catalog

CVE-2026-43995

Critical
Published: Translated: NVD NIST

Summary

Flowise is a drag & drop user interface to build customized large language model flows. In versions prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients, creating a security vulnerability.

Risk Assessment

Using unsecured HTTP clients may lead to unauthorized data access and man-in-the-middle attacks, jeopardizing the integrity and confidentiality of information.

Recommendation

It is recommended to upgrade to version 3.1.0 to utilize the secured wrapper and minimize the risks associated with this vulnerability.

Original NVD description (English source)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS