๐Ÿ” CVE Alert

CVE-2026-56277

UNKNOWN 0.0

Flowise - Hardcoded CORS Wildcard in TTS Endpoint

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.

CWE CWE-346
Vendor flowise
Product flowise
Published Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for flowise flowise

Be the first to know when new unknown vulnerabilities affecting flowise flowise are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Flowise / Flowise
0 < 3.1.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m837-xvxr-vqwg vulncheck.com: https://www.vulncheck.com/advisories/flowise-hardcoded-cors-wildcard-in-tts-endpoint

Credits

๐Ÿ” DeathsPirate