Description
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse. | |
| Title | Flowise - Hardcoded CORS Wildcard in TTS Endpoint | |
| First Time appeared |
Flowiseai
Flowiseai flowise |
|
| Weaknesses | CWE-346 | |
| CPEs | cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Flowiseai
Flowiseai flowise |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:27.269Z
Reserved: 2026-06-20T01:51:24.918Z
Link: CVE-2026-56277
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-346
Origin Validation Error