Server-Side Request Forgery Vulnerability in Flowise by FlowiseAI
CVE-2026-31829

7.1HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-31829?

Flowise, a drag & drop user interface for building customized large language model flows, contains a vulnerability that exposes an HTTP Node in its AgentFlow and Chatflow functionalities. This issue allows for server-side HTTP requests to be made using user-controlled URLs without restrictions on target hosts, including internal IP ranges and cloud metadata endpoints. This poses a risk of Server-Side Request Forgery (SSRF), enabling potentially malicious users to access internal network resources that are normally inaccessible from the internet. This vulnerability was resolved in version 3.0.13.

Affected Version(s)

Flowise < 3.0.13

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31829 Data

JSON

Flowiseai

What is CVE-2026-31829?

Affected Version(s)

References

CVSS V3.1

Timeline