CVE-2026-56275 PUBLISHED

Flowise - Server-Side Request Forgery via Execute Flow Base URL

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 23.06.2026 Updated: 23.06.2026

Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6

Product Status

Vendor Flowise
Product Flowise
Versions Default: unaffected
  • affected from 0 to 3.1.0 (excl.)
  • Version 3.1.0 is unaffected
Vendor Flowise
Product Flowise
Versions Default: unaffected
  • affected from 0 to 3.1.0 (excl.)
  • Version 3.1.0 is unaffected

Credits

  • cn-panda reporter

References

Problem Types

  • Server-Side Request Forgery (SSRF) CWE