Server-Side Request Forgery Vulnerability in Flowise by FlowiseAI
CVE-2026-41270

7.1HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise; Flowise-components
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41270?

Flowise, a user-friendly tool for creating customized large language model flows, was found to have a vulnerability that allows authenticated users to bypass Server-Side Request Forgery (SSRF) protection. This issue stems from limitations in the Custom Function feature. Although the application employs safeguards against SSRF attacks through HTTP_DENY_LIST restrictions for certain libraries, the native Node.js http, https, and net modules are not similarly protected in the NodeVM sandbox environment. Consequently, this oversight can lead to unauthorized access to internal network resources, including sensitive cloud provider metadata services. Users are strongly advised to update to version 3.1.0 or later to mitigate this vulnerability.

Affected Version(s)

Flowise < 3.1.0

flowise-components < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41270 Data

JSON

Flowiseai

What is CVE-2026-41270?

Affected Version(s)

References

CVSS V3.1

Timeline