CVE-2026-41272

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0

Description The core security wrappers secureAxiosRequest() and secureFetch(), designed to prevent Server-Side Request Forgery (SSRF), contain logic flaws. These flaws enable attackers to bypass allow or deny lists through DNS Rebinding, a Time-of-Check Time-of-Use (TOCTOU) race condition where a domain name resolves to a safe IP during validation but a malicious IP during the actual request, or by exploiting a default configuration that does not enforce a deny list.

Recommendations Update to version 3.1.0.