#VU126234 Improper access control in Flowise
Published: April 15, 2026
Vulnerability identifier: #VU126234
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flowise
Flowise
Software vendor:
FlowiseAI
FlowiseAI
Description
The vulnerability allows a remote user to access internal network resources and disclose sensitive information.
The vulnerability exists due to improper access control in tool components that directly use node-fetch or axios when processing outbound HTTP requests. A remote user can send a crafted prompt that triggers a vulnerable tool to issue requests to internal or metadata endpoints to access internal network resources and disclose sensitive information.
Only deployments with affected tools enabled are vulnerable.
Remediation
Install security update from vendor's website.