#VU126232 Server-Side Request Forgery (SSRF) in Flowise
Published: April 15, 2026
Vulnerability identifier: #VU126232
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flowise
Flowise
Software vendor:
FlowiseAI
FlowiseAI
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper restriction of server-side request targets in Execute Flow base url handling when processing a prediction request. A remote user can provide a crafted intranet address in the base url field to disclose sensitive information.
Exploitation can cause the server to initiate HTTP requests to internal network addresses, including cloud metadata services, and can be used to detect internal network services.
Remediation
Install security update from vendor's website.