FlowiseAI's Flowise is a drag-and-drop interface for building customized large language model workflows. Versions prior to 3.0.13 contain a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-31829) due to an HTTP Node component in AgentFlow and Chatflow that performs server-side HTTP requests based on user-supplied URLs. Critically, there are no built-in restrictions on the destination of these requests, allowing attackers to specify URLs targeting internal IP ranges (RFC 1918), localhost, or cloud provider metadata endpoints. This lack of validation enables an attacker interacting with a publicly exposed chatflow to coerce the Flowise server into making arbitrary HTTP requests within its internal network environment. Such requests can be used to access sensitive internal services, retrieve confidential data, or perform reconnaissance on otherwise inaccessible infrastructure. The vulnerability requires only low privileges to exploit and does not require user interaction, increasing its risk. The CVSS v3.1 score of 7.1 reflects high confidentiality and integrity impact, with limited availability impact. The vulnerability was publicly disclosed on March 10, 2026, and fixed in Flowise version 3.0.13. No known exploits in the wild have been reported to date.

The SSRF vulnerability in Flowise can have significant impacts on organizations deploying affected versions, especially if the Flowise server is publicly accessible. Attackers can leverage this flaw to access internal network resources that are otherwise protected by network segmentation or firewalls, including sensitive internal APIs, databases, or cloud metadata services that may contain credentials or configuration data. This can lead to data breaches, unauthorized access to internal systems, and potential lateral movement within the network. The integrity of internal services can be compromised if attackers manipulate internal requests or trigger unintended actions. Although availability impact is low, the confidentiality and integrity risks are high. Organizations relying on Flowise for AI workflow automation may face operational disruptions and reputational damage if exploited. The risk is amplified in cloud environments where metadata endpoints provide critical instance identity and credential information.

To mitigate this vulnerability, organizations should immediately upgrade Flowise to version 3.0.13 or later, where the SSRF issue is fixed. If upgrading is not immediately possible, implement strict network-level controls such as firewall rules or egress filtering to prevent the Flowise server from making HTTP requests to internal IP ranges (RFC 1918), localhost (127.0.0.1), and cloud metadata service IP addresses (e.g., 169.254.169.254). Additionally, apply application-layer input validation to restrict or sanitize user-supplied URLs in the HTTP Node to allow only trusted external domains. Monitoring and logging HTTP requests originating from the Flowise server can help detect suspicious activity. Employ network segmentation to isolate the Flowise server from sensitive internal resources. Finally, review and harden access controls on internal services to minimize the impact of potential SSRF exploitation.