Skip to main content

Flowise CVE-2026-43995

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-11 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 11, 2026 - 18:48 vuln.today
Analysis Generated
May 11, 2026 - 18:48 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
5.3 (MEDIUM)
CVE Published
May 11, 2026 - 17:49 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.

AnalysisAI

Flowise versions prior to 3.1.0 allow authenticated remote attackers to bypass SSRF protections by exploiting direct HTTP client imports in four tool implementations (OpenAPIToolkit, WebScraperTool, MCP, and Arxiv) that circumvent the centralized httpSecurity.ts validation wrapper. An attacker with tool access can craft requests to reach blocked internal endpoints such as AWS metadata services, restoring full SSRF capability despite administrative deny-list configuration.

Technical ContextAI

Flowise implements centralized SSRF protection through httpSecurity.ts, which validates outbound HTTP requests against a deny-list (HTTP_DENY_LIST), performs IP resolution validation, enforces IP pinning, and blocks loopback addresses. However, four tool implementations-OpenAPIToolkit.ts, WebScraperTool.ts, MCP/core.ts, and Arxiv/core.ts-directly import HTTP clients (node-fetch, axios) rather than invoking the security wrapper, creating an enforcement gap. This is classified as CWE-918 (SSRF) and represents an architectural failure where security validation depends on voluntary wrapper usage rather than mandatory structural enforcement. The root cause is the absence of a global interceptor or centralized enforcement mechanism that prevents direct HTTP library imports.

RemediationAI

Upgrade Flowise to version 3.1.0 or later immediately. For organizations unable to upgrade immediately, disable vulnerable tools (OpenAPIToolkit, WebScraperTool, MCP, Arxiv) in tool configuration until patched. Additionally, enforce strict HTTP_DENY_LIST configuration blocking internal IP ranges (169.254.0.0/16 for AWS metadata, 127.0.0.0/8 for loopback, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 for private networks) at the network firewall or WAF level as a compensating control; however, this does not address the root architectural flaw and should be combined with the patch. For defense in depth, restrict LLM tool access to non-sensitive prompts and monitor outbound HTTP requests for requests to metadata endpoints or internal services. See https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-qqvm-66q4-vf5c for patch details.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2026-43995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy