CVE-2026-56275

UNKNOWN 0.0

Flowise - Server-Side Request Forgery via Execute Flow Base URL

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts.

CWE	CWE-918
Vendor	flowise
Product	flowise
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for flowise flowise

Be the first to know when new unknown vulnerabilities affecting flowise flowise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Flowise / Flowise

0 < 3.1.0

Flowise / Flowise

0 < 3.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9hrv-gvrv-6gf2 vulncheck.com: https://www.vulncheck.com/advisories/flowise-server-side-request-forgery-via-execute-flow-base-url

Credits

🔍 cn-panda