Cross-Site Scripting Vulnerability in Flowise Text-to-Speech Generation Endpoint
CVE-2026-56277

6.9MEDIUM

Key Information:

Vendor

Flowise

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-56277?

Flowise versions before 3.1.2 expose a significant security risk through a hardcoded Access-Control-Allow-Origin wildcard on its text-to-speech generation endpoint. This misconfiguration allows any website to bypass established CORS policies, enabling unauthorized cross-origin requests. As a result, attackers can exploit this vulnerability to generate TTS audio using stored authentication credentials, facilitating potential credential abuse via drive-by attacks. Users of Flowise should ensure they upgrade to the latest version to mitigate this risk.

Affected Version(s)

Flowise 0 < 3.1.2

Flowise 3.1.2

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

DeathsPirate
.