CVE-2026-31829

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13

Description Flowise, a drag & drop user interface for building customized large language model flows, contains a Server-Side Request Forgery (SSRF) issue. The application exposes an HTTP Node within AgentFlow and Chatflow that makes server-side HTTP requests using URLs controlled by the user. There are no restrictions on the target hosts, allowing requests to private IP ranges, localhost, or cloud metadata endpoints. This enables an attacker interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are otherwise inaccessible from the public internet.

Recommendations Update to version 3.0.13 or later.