CVE-2026-56275
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Flowise before 3.1.0 contains a server-side request forgery (SSRF) vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses and access cloud metadata.
Risk Assessment
This vulnerability may lead to unauthorized access to internal organizational resources and allow enumeration of internal services, increasing the risk of data leakage.
Recommendation
It is recommended to update Flowise to version 3.1.0 or later to mitigate this vulnerability. Additionally, conducting a security audit is advisable to identify and minimize SSRF-related risks.
Original NVD description (English source)
Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts.

