CVE-2026-31829 — HIGH (CVSS 8.8)

Q: Is CVE-2026-31829 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-31829, increasing the risk of exploitation.

Q: How to fix CVE-2026-31829?

1. Patch immediately: upgrade to Flowise 3.0.13 which introduces host restrictions on the HTTP Node. 2. If patching is delayed: add network-level egress filtering from the Flowise container or host blocking RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16). 3. Require authentication for all chatflow and agentflow endpoints to eliminate unauthenticated access paths. 4. If running on AWS, enforce IMDSv2 (token-required) to block IMDSv1-style metadata fetch even if SSRF is present. 5. Audit existing flows for HTTP Nodes with user-controllable URL inputs and restrict via input validation or node-level allowlisting. 6. Review cloud IAM roles assigned to Flowise hosts and apply least-privilege scoping.

Q: What systems are affected by CVE-2026-31829?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM orchestration platforms, Cloud-hosted AI deployments, No-code/low-code AI builders.

Q: What is the CVSS score for CVE-2026-31829?

CVE-2026-31829 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.10%.

CISO Take

Flowise's HTTP Node in AgentFlow and Chatflow accepts user-controlled URLs with zero restrictions, allowing any authenticated user of a publicly exposed chatflow to force the server to fetch internal RFC 1918 addresses, localhost services, or cloud metadata endpoints such as the AWS IMDSv1 endpoint at 169.254.169.254. With a CVSS of 8.8, low attack complexity, only low privileges required, and a public PoC already available, exploitation is well within reach of non-sophisticated attackers — this is not a theoretical risk. In cloud-hosted Flowise deployments, a single request to the metadata endpoint can yield temporary IAM credentials with broad permissions, enabling full cloud account takeover. Upgrade to Flowise 3.0.13 immediately; if patching is delayed, enforce network-level egress filtering blocking RFC 1918 ranges and the 169.254.0.0/16 link-local block from the Flowise host, require authentication on all chatflow endpoints, and enable IMDSv2 token-required mode on any AWS instances running Flowise.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk across cloud-hosted deployments. CVSS 8.8 with network accessibility, low complexity, low privileges required, and a public PoC represents a mature exploitation posture — the bar for an attacker is extremely low. Cloud-hosted instances face existential risk: a single successful request to the instance metadata endpoint can yield scoped or wildcard IAM credentials. On-premises deployments face internal network reconnaissance and lateral movement risks. With 16 prior CVEs in the same package, Flowise's security posture warrants scrutiny beyond this single issue.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.0.12	`3.0.13`
flowise	npm	—	No patch
flowise-components	npm	<= 3.0.12	`3.0.13`

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 27% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch immediately: upgrade to Flowise 3.0.13 which introduces host restrictions on the HTTP Node.
If patching is delayed: add network-level egress filtering from the Flowise container or host blocking RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16).
Require authentication for all chatflow and agentflow endpoints to eliminate unauthenticated access paths.
If running on AWS, enforce IMDSv2 (token-required) to block IMDSv1-style metadata fetch even if SSRF is present.
Audit existing flows for HTTP Nodes with user-controllable URL inputs and restrict via input validation or node-level allowlisting.
Review cloud IAM roles assigned to Flowise hosts and apply least-privilege scoping.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0085.001 - AI Agent Tools

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.2 - AI System Risk Controls

NIST AI RMF

MEASURE-2.5 - AI Risk Measurement — Trustworthy Characteristics

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-31829?

Flowise's HTTP Node in AgentFlow and Chatflow accepts user-controlled URLs with zero restrictions, allowing any authenticated user of a publicly exposed chatflow to force the server to fetch internal RFC 1918 addresses, localhost services, or cloud metadata endpoints such as the AWS IMDSv1 endpoint at 169.254.169.254. With a CVSS of 8.8, low attack complexity, only low privileges required, and a public PoC already available, exploitation is well within reach of non-sophisticated attackers — this is not a theoretical risk. In cloud-hosted Flowise deployments, a single request to the metadata endpoint can yield temporary IAM credentials with broad permissions, enabling full cloud account takeover. Upgrade to Flowise 3.0.13 immediately; if patching is delayed, enforce network-level egress filtering blocking RFC 1918 ranges and the 169.254.0.0/16 link-local block from the Flowise host, require authentication on all chatflow endpoints, and enable IMDSv2 token-required mode on any AWS instances running Flowise.

Is CVE-2026-31829 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-31829, increasing the risk of exploitation.

How to fix CVE-2026-31829?

1. Patch immediately: upgrade to Flowise 3.0.13 which introduces host restrictions on the HTTP Node. 2. If patching is delayed: add network-level egress filtering from the Flowise container or host blocking RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16). 3. Require authentication for all chatflow and agentflow endpoints to eliminate unauthenticated access paths. 4. If running on AWS, enforce IMDSv2 (token-required) to block IMDSv1-style metadata fetch even if SSRF is present. 5. Audit existing flows for HTTP Nodes with user-controllable URL inputs and restrict via input validation or node-level allowlisting. 6. Review cloud IAM roles assigned to Flowise hosts and apply least-privilege scoping.

What systems are affected by CVE-2026-31829?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM orchestration platforms, Cloud-hosted AI deployments, No-code/low-code AI builders.

What is the CVSS score for CVE-2026-31829?

CVE-2026-31829 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13.

Exploitation Scenario

An attacker identifies a publicly accessible Flowise chatflow embedded in a SaaS product's AI assistant or a corporate internal tool. Using the chatflow interface, they craft a message that triggers the HTTP Node with the target URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The Flowise server makes the request server-side and returns the IAM role name in the chatflow response. The attacker issues a follow-up request to http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name> and receives temporary AWS credentials (AccessKeyId, SecretAccessKey, Token). Within minutes, they authenticate to AWS, enumerate S3 buckets containing training data and customer records, and create a persistent backdoor IAM user before the credentials expire.