AI Threat Alert AI Threat Alert

CVE-2026-31829: Flowise: SSRF via HTTP Node exposes internal network

HIGH PoC AVAILABLE
Published March 10, 2026
CISO Take

Flowise's HTTP Node in AgentFlow and Chatflow accepts user-controlled URLs with zero restrictions, allowing any authenticated user of a publicly exposed chatflow to force the server to fetch internal RFC 1918 addresses, localhost services, or cloud metadata endpoints such as the AWS IMDSv1 endpoint at 169.254.169.254. With a CVSS of 8.8, low attack complexity, only low privileges required, and a public PoC already available, exploitation is well within reach of non-sophisticated attackers — this is not a theoretical risk. In cloud-hosted Flowise deployments, a single request to the metadata endpoint can yield temporary IAM credentials with broad permissions, enabling full cloud account takeover. Upgrade to Flowise 3.0.13 immediately; if patching is delayed, enforce network-level egress filtering blocking RFC 1918 ranges and the 169.254.0.0/16 link-local block from the Flowise host, require authentication on all chatflow endpoints, and enable IMDSv2 token-required mode on any AWS instances running Flowise.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

High risk across cloud-hosted deployments. CVSS 8.8 with network accessibility, low complexity, low privileges required, and a public PoC represents a mature exploitation posture — the bar for an attacker is extremely low. Cloud-hosted instances face existential risk: a single successful request to the instance metadata endpoint can yield scoped or wildcard IAM credentials. On-premises deployments face internal network reconnaissance and lateral movement risks. With 16 prior CVEs in the same package, Flowise's security posture warrants scrutiny beyond this single issue.

Affected Systems

Package Ecosystem Vulnerable Range Patched
flowise npm No patch
flowise npm No patch
flowise npm No patch

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
N/A
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

  1. Patch immediately: upgrade to Flowise 3.0.13 which introduces host restrictions on the HTTP Node.
  2. If patching is delayed: add network-level egress filtering from the Flowise container or host blocking RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16).
  3. Require authentication for all chatflow and agentflow endpoints to eliminate unauthenticated access paths.
  4. If running on AWS, enforce IMDSv2 (token-required) to block IMDSv1-style metadata fetch even if SSRF is present.
  5. Audit existing flows for HTTP Nodes with user-controllable URL inputs and restrict via input validation or node-level allowlisting.
  6. Review cloud IAM roles assigned to Flowise hosts and apply least-privilege scoping.

Classification

Data Extraction Auth Bypass Agent Framework AML.T0049 AML.T0053 AML.T0055 AML.T0085.001

Compliance Impact

This CVE is relevant to:

ISO 42001
A.6.2 - AI System Risk Controls
NIST AI RMF
MEASURE-2.5 - AI Risk Measurement — Trustworthy Characteristics
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13.

Exploitation Scenario

An attacker identifies a publicly accessible Flowise chatflow embedded in a SaaS product's AI assistant or a corporate internal tool. Using the chatflow interface, they craft a message that triggers the HTTP Node with the target URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The Flowise server makes the request server-side and returns the IAM role name in the chatflow response. The attacker issues a follow-up request to http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name> and receives temporary AWS credentials (AccessKeyId, SecretAccessKey, Token). Within minutes, they authenticate to AWS, enumerate S3 buckets containing training data and customer records, and create a persistent backdoor IAM user before the credentials expire.

Weaknesses (CWE)

CWE-918 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 10, 2026
Last Modified
March 11, 2026
First Seen
March 10, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2025-58434 9.8

Flowise: auth bypass in reset flow allows full ATO

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
Back to Threat Feed