Server-Side Request Forgery in Flowise by FlowiseAI
CVE-2026-56275

6MEDIUM

Key Information:

Vendor: Flowise
Status: Flowise
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-56275?

Flowise prior to version 3.1.0 is vulnerable to server-side request forgery (SSRF) via the Execute Flow node. This flaw allows malicious users to exploit the application by entering internal network addresses through an insecure base URL field. As a result, attackers can initiate unauthorized HTTP requests to internal services, access sensitive cloud metadata, and enumerate networked systems. This vulnerability arises from the absence of proper secureFetch verification, which undermines the integrity of the httpSecurity.ts component. It is crucial for users to update to the latest version to mitigate the associated security risks.

Affected Version(s)

Flowise 0 < 3.1.0

Flowise 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/flowise-server-side-...

third-party-advisory

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

cn-panda

CVE-2026-56275 Data

JSON