Description
Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts.
Published: 2026-06-23
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Execute Flow node of Flowise, where the base URL field is not validated against internal addresses. By supplying an intranet URL, an attacker can trigger the application‑side HTTP request and receive responses from private resources, cloud metadata services, or other internal endpoints. The compromised confidentiality can expose configuration details, internal service listings, or sensitive data accessible through those endpoints, and may act as a foothold for further attacks.

Affected Systems

Flowise Flowise products before version 3.1.0 are affected. If an environment is running an older release, it is vulnerable regardless of deployment platform.

Risk and Exploitability

The issue is rated CVSS 6, indicating moderate severity. No EPSS information is available, and the vulnerability is not listed in KEV. Likely the attacker must submit a crafted request to the Execute Flow node, which may be publicly accessible or require authentication. Once the request is accepted, the server performs an outbound HTTP call to the specified base URL with no additional verification, making it straightforward to enumerate or exfiltrate internal resources. The risk remains significant for environments with sensitive internal services exposed through this node.

Generated by OpenCVE AI on June 23, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Flowise to version 3.1.0 or later to apply the vendor’s fix.
  • If an upgrade is not feasible, block outbound traffic from the Execute Flow node to internal IP ranges using network policies or firewall rules.
  • Restrict or remove the Execute Flow node from public‑facing services, or implement application‑level validation to ensure only approved external URLs are accepted.

Generated by OpenCVE AI on June 23, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts.
Title Flowise - Server-Side Request Forgery via Execute Flow Base URL
First Time appeared Flowiseai
Flowiseai flowise
Weaknesses CWE-918
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:57:44.859Z

Reserved: 2026-06-20T01:47:54.000Z

Link: CVE-2026-56275

cve-icon Vulnrichment

Updated: 2026-06-23T13:57:41.596Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)