CVE-2026-56277 PUBLISHED

Flowise - Hardcoded CORS Wildcard in TTS Endpoint

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 30.06.2026 Updated: 01.07.2026

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor Flowise
Product Flowise
Versions Default: unaffected
  • affected from 0 to 3.1.2 (excl.)
  • Version 3.1.2 is unaffected

Credits

  • DeathsPirate reporter

References

Problem Types

  • Origin Validation Error CWE