HTTP Client Vulnerability in Flowise by FlowiseAI
CVE-2026-43995

5.3MEDIUM

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43995?

The Flowise product, a drag-and-drop interface for customizing large language model flows, contains a vulnerability where multiple tool implementations directly utilize raw HTTP clients like node-fetch and axios without the necessary secure wrappers. This design flaw, present in versions leading up to 3.1.0, exposes users to potential security risks, as these tools do not account for safe data handling practices. The issue has been addressed in the latest release, which reinforces secure communication protocols.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43995 Data

JSON

Flowiseai

What is CVE-2026-43995?

Affected Version(s)

References

CVSS V4

Timeline