Vulnerability Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flowiseai | Flowise | < 3.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8ExploitVendor Advisory
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8ExploitVendor Advisory
FAQ
What is CVE-2026-41271?
CVE-2026-41271 is a vulnerability with a CVSS score of 8.3 (HIGH). Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain com...
How severe is CVE-2026-41271?
CVE-2026-41271 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41271?
Check the references section above for vendor advisories and patch information. Affected products include: Flowiseai Flowise.