Platform
nodejs
Component
flowise
Fixed in
3.0.14
3.0.13
CVE-2026-31829 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Flowise, specifically within its AgentFlow and Chatflow HTTP Node functionality. This flaw allows attackers to manipulate the Flowise server into making HTTP requests to internal resources, bypassing typical network security boundaries. The vulnerability impacts versions prior to 3.0.13 and can lead to unauthorized access to sensitive internal data and systems. A fix has been released in version 3.0.13.
The SSRF vulnerability in Flowise allows an attacker to leverage the Flowise server as a proxy to access internal resources that are otherwise inaccessible from the public internet. This includes internal admin panels, databases, and other sensitive services. An attacker could potentially exfiltrate sensitive data, modify configurations, or even gain a foothold within the internal network. The ability to target RFC 1918 IP ranges, localhost, and cloud metadata endpoints significantly expands the potential attack surface. Successful exploitation could lead to a complete compromise of internal systems, depending on the permissions and access granted to the Flowise server.
CVE-2026-31829 was publicly disclosed on 2026-03-10. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation (EPSS score pending). No public proof-of-concept (POC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a POC will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The primary mitigation for CVE-2026-31829 is to immediately upgrade Flowise to version 3.0.13 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access for the Flowise server using a firewall or network segmentation. WAF rules can be configured to block requests to known internal IP ranges or metadata endpoints. Carefully review and restrict the permissions granted to the user account running the Flowise server to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to access an internal resource via the HTTP Node and verifying that the request is denied.
Update Flowise to version 3.0.13 or higher. This version fixes the SSRF vulnerability in the HTTP node, preventing unauthorized access to internal network resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31829 is a Server-Side Request Forgery vulnerability in Flowise versions before 3.0.13, allowing attackers to access internal resources via manipulated HTTP requests.
You are affected if you are using Flowise versions prior to 3.0.13 and have not implemented mitigating controls.
Upgrade Flowise to version 3.0.13 or later. As a temporary workaround, restrict outbound network access for the Flowise server using a firewall or WAF.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts will occur.
Refer to the Flowise project's official security advisories and release notes for details: [https://flowise.com/docs/security](https://flowise.com/docs/security)
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.