Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Drive-by CORS abuse requires victim to visit a malicious page (UI:R); attacker needs no credentials (PR:N); impact is low-severity TTS generation abuse with no availability or scope-change component.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.
AnalysisAI
Cross-origin request forgery via a hardcoded CORS wildcard in Flowise's text-to-speech endpoint (versions before 3.1.2) allows any malicious webpage to trigger TTS generation using a victim's stored credentials. The controller file packages/server/src/controllers/text-to-speech/index.ts unconditionally sets Access-Control-Allow-Origin: *, directly overriding the server's restrictive getCorsOptions() CORS policy for that route. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three concurrent conditions are required: (1) the victim must have an active authenticated session to a Flowise instance, (2) the victim must visit an attacker-controlled webpage while that session is live, and (3) the Flowise TTS endpoint must be reachable from the victim's browser - either via public internet or a shared network the victim accesses. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, score 6.9) rates this as network-exploitable with no prerequisites, but the UI:N designation is inconsistent with the described attack: drive-by CORS exploitation inherently requires a victim user to visit an attacker-controlled webpage, which maps to UI:P (passive) in CVSS 4.0 and UI:R in CVSS 3.1 - the provided score likely overstates exploitability as a result. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a public domain and serves a webpage containing JavaScript that issues a `fetch()` to a victim's Flowise TTS endpoint (e.g., `https://flowise.example.com/api/v1/text-to-speech`). When an authenticated Flowise user is socially engineered into visiting the attacker's page, the browser sends a cross-origin request; the hardcoded `Access-Control-Allow-Origin: *` permits the response to be read, and TTS generation is triggered using the victim's active session context, potentially abusing third-party TTS API credentials or quota. … |
| Remediation | Upgrade Flowise to version 3.1.2 or later, which aligns the TTS endpoint's CORS handling with the server-wide `getCorsOptions()` policy, eliminating the hardcoded wildcard. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40432
GHSA-8m62-6r3h-3x25