Improper access control in Flowise - #VU126234
Published: April 15, 2026
Vulnerability identifier: #VU126234
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to access internal network resources and disclose sensitive information.
The vulnerability exists due to improper access control in tool components that directly use node-fetch or axios when processing outbound HTTP requests. A remote user can send a crafted prompt that triggers a vulnerable tool to issue requests to internal or metadata endpoints to access internal network resources and disclose sensitive information.
Only deployments with affected tools enabled are vulnerable.
Remediation
Install security update from vendor's website.