Server-Side Request Forgery (SSRF) in Flowise - #VU126232
Published: April 15, 2026
Vulnerability identifier: #VU126232
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper restriction of server-side request targets in Execute Flow base url handling when processing a prediction request. A remote user can provide a crafted intranet address in the base url field to disclose sensitive information.
Exploitation can cause the server to initiate HTTP requests to internal network addresses, including cloud metadata services, and can be used to detect internal network services.
Remediation
Install security update from vendor's website.