Compliance Impact

The vulnerability allows attackers to bypass security validation and send HTTP requests to internal network addresses, potentially accessing cloud metadata, internal services, sensitive management interfaces, and internal configuration and credentials.

Such unauthorized access to internal and sensitive information could lead to data breaches or exposure of confidential data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential unauthorized data access and confidentiality breaches.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-56275 is a server-side request forgery (SSRF) vulnerability found in Flowise versions before 3.1.0, specifically in the Execute Flow node.

This vulnerability allows attackers to bypass security validation by submitting intranet addresses through the base URL field, which the system fails to properly verify due to missing secureFetch checks in the httpSecurity.ts file.

As a result, attackers can make the server send HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services.

Useful 0 Not Useful 0

Impact Analysis

Exploiting this vulnerability can allow attackers to access internal web applications and sensitive management interfaces that are normally protected within the internal network.

Attackers may also be able to leak internal configuration details and credentials by enumerating internal services and accessing cloud metadata.

The vulnerability has a moderate severity with a CVSS score of 6.0, requires low privileges, and no user interaction, making it relatively easy to exploit.

The impact is high on confidentiality, potentially exposing sensitive information, but low on integrity and no impact on availability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the SSRF vulnerability in Flowise before version 3.1.0, you should upgrade your Flowise installation to version 3.1.0 or later.

This update addresses the issue by adding proper security verification in the httpSecurity.ts file, preventing attackers from bypassing security validation via the base URL field in the Execute Flow node.

Useful 0 Not Useful 0

Detection Guidance

To detect the SSRF vulnerability in Flowise before version 3.1.0, you can monitor for unusual HTTP requests originating from the Flowise server to internal network addresses or cloud metadata endpoints. Since the vulnerability allows attackers to provide intranet addresses via the base URL field in the Execute Flow node, look for HTTP requests targeting internal IP ranges or metadata service URLs.

You can use network monitoring tools or commands to identify such suspicious outbound requests.

• Use tcpdump or tshark to capture outgoing HTTP requests from the Flowise server, filtering for internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16):
• tcpdump -i <interface> tcp and dst net 10.0.0.0/8
• tcpdump -i <interface> tcp and dst net 172.16.0.0/12
• tcpdump -i <interface> tcp and dst net 192.168.0.0/16
• Check application logs for HTTP requests initiated by the Execute Flow node containing intranet or cloud metadata URLs.
• If possible, review the Flowise Execute Flow node configurations or inputs to detect if intranet addresses are being used in the base URL field.

Upgrading to Flowise version 3.1.0 or later is recommended to mitigate this vulnerability.

Useful 0 Not Useful 0