CVE-2026-41272 HIGH

CVE-2026-41272: Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)

Vendor Flowiseai
Product Flowise
Weakness CWE-918 · SSRF
Published April 23, 2026
Last update April 23, 2026
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-49374 WordPress Captcha.eu plugin <= 1.0.61 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-2948 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl' CVE-2024-12121 Broken Link Checker | Finder <= 2.5.0 - Authenticated (Author+) Blind Server-Side Request Forgery CVE-2023-43795 WPS Server Side Request Forgery in GeoServer CVE-2026-57947 Pinpoint - Server-Side Request Forgery via Alarm Webhook Registration