CVE-2026-41270

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0

Description A Server-Side Request Forgery (SSRF) protection bypass exists in the Custom Function feature. Although the application uses HTTP DENY LIST to protect axios and node-fetch libraries, the built-in Node.js http, https, and net modules are permitted within the NodeVM sandbox without similar protections. This allows authenticated users to circumvent SSRF controls and access internal network resources, such as cloud provider metadata services.

Recommendations Update to version 3.1.0.