CVE-2026-56277
Flowise - Hardcoded CORS Wildcard in TTS Endpoint
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.
| CWE | CWE-346 |
| Vendor | flowise |
| Product | flowise |
| Published | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for flowise flowise
Be the first to know when new unknown vulnerabilities affecting flowise flowise are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Flowise / Flowise
0 < 3.1.2
References
Credits
๐ DeathsPirate