CVE-2026-41272: CWE-918: Server-Side Request Forgery (SSRF) in FlowiseAI Flowise
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.
AI Analysis
Technical Summary
CVE-2026-41272 is a Server-Side Request Forgery (SSRF) vulnerability in FlowiseAI Flowise before version 3.1.0. The issue arises from multiple logic flaws in the secureAxiosRequest and secureFetch security wrappers, which were intended to prevent SSRF attacks. These flaws enable attackers to bypass allow/deny lists via DNS Rebinding (a Time-of-Check Time-of-Use issue) or by exploiting default configurations that fail to enforce any deny list. The vulnerability is addressed in Flowise version 3.1.0. The product is a cloud-hosted service, and the vendor typically manages patching for such services.
Potential Impact
Successful exploitation of this SSRF vulnerability could allow an attacker to make unauthorized server-side requests, potentially leading to high confidentiality and integrity impacts and a low availability impact, as reflected by the CVSS vector. This could expose internal resources or sensitive data accessible from the server hosting Flowise. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is available in Flowise version 3.1.0. Since Flowise is a cloud-hosted service, the vendor manages remediation server-side. Users should verify with the vendor advisory that their service instance is updated to version 3.1.0 or later to ensure the vulnerability is mitigated.
CVE-2026-41272: CWE-918: Server-Side Request Forgery (SSRF) in FlowiseAI Flowise
Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.
CVSS v3.1
Score 7.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41272 is a Server-Side Request Forgery (SSRF) vulnerability in FlowiseAI Flowise before version 3.1.0. The issue arises from multiple logic flaws in the secureAxiosRequest and secureFetch security wrappers, which were intended to prevent SSRF attacks. These flaws enable attackers to bypass allow/deny lists via DNS Rebinding (a Time-of-Check Time-of-Use issue) or by exploiting default configurations that fail to enforce any deny list. The vulnerability is addressed in Flowise version 3.1.0. The product is a cloud-hosted service, and the vendor typically manages patching for such services.
Potential Impact
Successful exploitation of this SSRF vulnerability could allow an attacker to make unauthorized server-side requests, potentially leading to high confidentiality and integrity impacts and a low availability impact, as reflected by the CVSS vector. This could expose internal resources or sensitive data accessible from the server hosting Flowise. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is available in Flowise version 3.1.0. Since Flowise is a cloud-hosted service, the vendor manages remediation server-side. Users should verify with the vendor advisory that their service instance is updated to version 3.1.0 or later to ensure the vulnerability is mitigated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T14:01:46.801Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69ea782987115cfb6850f837
Added to database: 4/23/2026, 7:51:05 PM
Last enriched: 4/23/2026, 8:06:17 PM
Last updated: 6/6/2026, 3:28:21 PM
Views: 88
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.