CVE-2026-41271
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.
| CWE | CWE-918 |
| Vendor | flowiseai |
| Product | flowise |
| Published | Apr 23, 2026 |
| Last Updated | Apr 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for flowiseai flowise
Be the first to know when new high vulnerabilities affecting flowiseai flowise are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Affected Versions
FlowiseAI / Flowise
< 3.1.0
FlowiseAI / flowise-components
< 3.1.0