Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13.
Published: 2026-03-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling hidden internal network access
Action: Immediate patch
AI Analysis

Impact

Flowise’s HTTP Node in AgentFlow and Chatflow accepts user‑supplied URLs for outbound requests without restrictions on target hosts. This flaw allows an attacker who can input a URL to coerce the Flowise server into requesting arbitrary internal resources, such as localhost IPs, private addresses or cloud metadata services. Successful exploitation could expose sensitive internal services, leak data, or serve as a pivot for further attacks, representing a significant confidentiality and integrity risk for any environment where Flowise is publicly reachable.

Affected Systems

The vulnerability affects Flowise products from FlowiseAI, any deployment employing Flowise versions older than 3.0.13. Versions starting with 3.0.13 contain the fix that enforces host restrictions.

Risk and Exploitability

The CVSS score of 7.1 labels the flaw as high severity, yet the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild so far. The flaw has not entered the CISA Known Exploited Vulnerabilities catalog. Attackers would need only ability to inject a crafted URL into a chatflow or agent flow exposed to the public internet; no privileged credentials are required. In typical usage, the SSRF could be triggered by a simple crafted message, making the vulnerability straightforward to exploit for a motivated attacker.

Generated by OpenCVE AI on April 16, 2026 at 03:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.0.13 or newer to apply the vendor‑supplied host‑restriction fix.
  • Reconfigure the HTTP Node to enforce an allow‑list that excludes RFC 1918 ranges, localhost, and cloud metadata IP addresses.
  • Deploy network segmentation or firewall rules to block outbound connections from the Flowise server to critical internal resources, thereby limiting the impact of any remaining SSRF attempts.

Generated by OpenCVE AI on April 16, 2026 at 03:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fvcw-9w9r-pxc7 Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13.
Title Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:19:28.567Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31829

cve-icon Vulnrichment

Updated: 2026-03-11T14:16:03.209Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:20.937

Modified: 2026-03-11T14:24:01.977

Link: CVE-2026-31829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses