#VU125531 Server-Side Request Forgery (SSRF) in Flowise - CVE-2026-31829
Published: April 9, 2026
Vulnerability identifier: #VU125531
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31829
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flowise
Flowise
Software vendor:
FlowiseAI
FlowiseAI
Description
The vulnerability allows a remote user to access internal network resources and modify internal services.
The vulnerability exists due to server-side request forgery (SSRF) in the HTTP Node in AgentFlow and Chatflow when processing user-controlled URLs for server-side HTTP requests. A remote user can send a specially crafted URL to access internal network resources and modify internal services.
The HTTP Request node supports multiple HTTP methods, including GET, POST, PUT, PATCH, and DELETE, and can reach localhost, private IP ranges, and cloud metadata endpoints.
Remediation
Install security update from vendor's website.