CVE Catalog

CVE-2026-56275

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

Flowise before 3.1.0 contains a server-side request forgery (SSRF) vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses and access cloud metadata.

Risk Assessment

This vulnerability may lead to unauthorized access to internal organizational resources and allow enumeration of internal services, increasing the risk of data leakage.

Recommendation

It is recommended to update Flowise to version 3.1.0 or later to mitigate this vulnerability. Additionally, conducting a security audit is advisable to identify and minimize SSRF-related risks.

Original NVD description (English source)

Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS