CVE-2026-31829: Flowise: SSRF via HTTP Node exposes internal network

GHSA-fvcw-9w9r-pxc7 HIGH PoC AVAILABLE CISA: ATTEND
Published March 10, 2026
CISO Take

Flowise's HTTP Node in AgentFlow and Chatflow accepts user-controlled URLs with zero restrictions, allowing any authenticated user of a publicly exposed chatflow to force the server to fetch internal RFC 1918 addresses, localhost services, or cloud metadata endpoints such as the AWS IMDSv1 endpoint at 169.254.169.254. With a CVSS of 8.8, low attack complexity, only low privileges required, and a public PoC already available, exploitation is well within reach of non-sophisticated attackers — this is not a theoretical risk. In cloud-hosted Flowise deployments, a single request to the metadata endpoint can yield temporary IAM credentials with broad permissions, enabling full cloud account takeover. Upgrade to Flowise 3.0.13 immediately; if patching is delayed, enforce network-level egress filtering blocking RFC 1918 ranges and the 169.254.0.0/16 link-local block from the Flowise host, require authentication on all chatflow endpoints, and enable IMDSv2 token-required mode on any AWS instances running Flowise.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk across cloud-hosted deployments. CVSS 8.8 with network accessibility, low complexity, low privileges required, and a public PoC represents a mature exploitation posture — the bar for an attacker is extremely low. Cloud-hosted instances face existential risk: a single successful request to the instance metadata endpoint can yield scoped or wildcard IAM credentials. On-premises deployments face internal network reconnaissance and lateral movement risks. With 16 prior CVEs in the same package, Flowise's security posture warrants scrutiny beyond this single issue.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm <= 3.0.12 3.0.13
Flowise npm No patch
Flowise npm <= 3.0.12 3.0.13

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
2.3%
chance of exploitation in 30 days
Higher than 81% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps
  1. Patch immediately: upgrade to Flowise 3.0.13 which introduces host restrictions on the HTTP Node.

  2. If patching is delayed: add network-level egress filtering from the Flowise container or host blocking RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16).

  3. Require authentication for all chatflow and agentflow endpoints to eliminate unauthenticated access paths.

  4. If running on AWS, enforce IMDSv2 (token-required) to block IMDSv1-style metadata fetch even if SSRF is present.

  5. Audit existing flows for HTTP Nodes with user-controllable URL inputs and restrict via input validation or node-level allowlisting.

  6. Review cloud IAM roles assigned to Flowise hosts and apply least-privilege scoping.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.6.2 - AI System Risk Controls
NIST AI RMF
MEASURE-2.5 - AI Risk Measurement — Trustworthy Characteristics
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-31829?

Flowise's HTTP Node in AgentFlow and Chatflow accepts user-controlled URLs with zero restrictions, allowing any authenticated user of a publicly exposed chatflow to force the server to fetch internal RFC 1918 addresses, localhost services, or cloud metadata endpoints such as the AWS IMDSv1 endpoint at 169.254.169.254. With a CVSS of 8.8, low attack complexity, only low privileges required, and a public PoC already available, exploitation is well within reach of non-sophisticated attackers — this is not a theoretical risk. In cloud-hosted Flowise deployments, a single request to the metadata endpoint can yield temporary IAM credentials with broad permissions, enabling full cloud account takeover. Upgrade to Flowise 3.0.13 immediately; if patching is delayed, enforce network-level egress filtering blocking RFC 1918 ranges and the 169.254.0.0/16 link-local block from the Flowise host, require authentication on all chatflow endpoints, and enable IMDSv2 token-required mode on any AWS instances running Flowise.

Is CVE-2026-31829 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-31829, increasing the risk of exploitation.

How to fix CVE-2026-31829?

1. Patch immediately: upgrade to Flowise 3.0.13 which introduces host restrictions on the HTTP Node. 2. If patching is delayed: add network-level egress filtering from the Flowise container or host blocking RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16). 3. Require authentication for all chatflow and agentflow endpoints to eliminate unauthenticated access paths. 4. If running on AWS, enforce IMDSv2 (token-required) to block IMDSv1-style metadata fetch even if SSRF is present. 5. Audit existing flows for HTTP Nodes with user-controllable URL inputs and restrict via input validation or node-level allowlisting. 6. Review cloud IAM roles assigned to Flowise hosts and apply least-privilege scoping.

What systems are affected by CVE-2026-31829?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM orchestration platforms, Cloud-hosted AI deployments, No-code/low-code AI builders.

What is the CVSS score for CVE-2026-31829?

CVE-2026-31829 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 2.30%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksLLM orchestration platformsCloud-hosted AI deploymentsNo-code/low-code AI builders

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0055 Unsecured Credentials
AML.T0085.001 AI Agent Tools

Compliance Controls Affected

ISO 42001: A.6.2
NIST AI RMF: MEASURE-2.5
OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13.

Exploitation Scenario

An attacker identifies a publicly accessible Flowise chatflow embedded in a SaaS product's AI assistant or a corporate internal tool. Using the chatflow interface, they craft a message that triggers the HTTP Node with the target URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The Flowise server makes the request server-side and returns the IAM role name in the chatflow response. The attacker issues a follow-up request to http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name> and receives temporary AWS credentials (AccessKeyId, SecretAccessKey, Token). Within minutes, they authenticate to AWS, enumerate S3 buckets containing training data and customer records, and create a persistent backdoor IAM user before the credentials expire.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
March 10, 2026
Last Modified
April 10, 2026
First Seen
March 10, 2026

Related Vulnerabilities