CVE-2026-43995

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0

Description Multiple tool implementations bypass the centralized HTTP security wrapper (httpSecurity.ts), which is designed to provide Server-Side Request Forgery (SSRF) protections through deny-list validation, IP resolution validation, IP pinning, and loopback blocking. Instead of using this secured wrapper, certain tools directly import and invoke raw HTTP clients such as node-fetch and axios. This architectural failure allows outbound requests to be executed without validation, enabling access to internal network resources and the potential theft of cloud metadata and credentials. The affected components include OpenAPIToolkit.ts, WebScraperTool.ts, MCP/core.ts, and Arxiv/core.ts.

Recommendations Update to version 3.1.0. As a temporary workaround, restrict access to the OpenAPIToolkit, WebScraperTool, MCP, and Arxiv tools to minimize the risk of exploitation.