Server-Side Request Forgery (SSRF) in Flowise - CVE-2026-31829
Published: April 9, 2026
Vulnerability identifier: #VU125531
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31829
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to access internal network resources and modify internal services.
The vulnerability exists due to server-side request forgery (SSRF) in the HTTP Node in AgentFlow and Chatflow when processing user-controlled URLs for server-side HTTP requests. A remote user can send a specially crafted URL to access internal network resources and modify internal services.
The HTTP Request node supports multiple HTTP methods, including GET, POST, PUT, PATCH, and DELETE, and can reach localhost, private IP ranges, and cloud metadata endpoints.
How to mitigate CVE-2026-31829
Install security update from vendor's website.