CVE-2026-41270: Flowise SSRF bypass exposes cloud

CISO Take

Flowise's Custom Function feature allows authenticated users to bypass the application's SSRF protections by leveraging Node.js native http/https modules — permitted in the NodeVM sandbox — instead of the blocked axios/node-fetch libraries, granting unrestricted access to internal network resources including cloud provider metadata services. This is particularly dangerous in cloud-hosted Flowise deployments where the IMDS endpoint (169.254.169.254) exposes IAM credentials, enabling full cloud account takeover from a single compromised or malicious user account. With a public PoC available, EPSS in the top 86th percentile of all CVEs, and a CISA SSVC rating of ATTEND, exploitation is plausible even without active KEV listing — and Flowise's track record of 59 prior CVEs signals systemic security debt. Upgrade to Flowise 3.1.0 immediately; as an interim measure, restrict Custom Function access to trusted administrators and enforce network-level egress blocks on IMDS IP ranges.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

HIGH risk. The low privilege requirement (any authenticated user) combined with a publicly available PoC and EPSS top-86th-percentile ranking makes this accessible to a broad threat population including malicious insiders and credential-stuffing attackers. The impact ceiling far exceeds the CVSS 8.3 score — cloud metadata exposure yields IAM credentials enabling full cloud infrastructure compromise. Organizations running Flowise in AWS, GCP, or Azure environments with IMDSv1 enabled (the default) face immediate credential theft risk with minimal attacker sophistication required.

How does the attack unfold?

Initial Access

Attacker authenticates to Flowise using valid credentials obtained via credential stuffing, phishing, or insider access to reach the LLM flow builder interface.

AML.T0012

SSRF Exploitation

Attacker authors a Custom Function using Node.js native http/https modules — which bypass the HTTP_DENY_LIST controls — to craft SSRF requests targeting internal network resources.

AML.T0049

Cloud Service Discovery

SSRF request successfully reaches the cloud IMDS endpoint (169.254.169.254), returning IAM role names and temporary cloud credentials with the instance role's full permission set.

AML.T0075

Credential Theft & Impact

Attacker uses stolen IAM credentials from their own machine to perform lateral movement, exfiltrating AI training data, customer PII, or model artifacts from the victim's cloud infrastructure.

AML.T0055

Initial Access

Attacker authenticates to Flowise using valid credentials obtained via credential stuffing, phishing, or insider access to reach the LLM flow builder interface.

AML.T0012

SSRF Exploitation

Attacker authors a Custom Function using Node.js native http/https modules — which bypass the HTTP_DENY_LIST controls — to craft SSRF requests targeting internal network resources.

AML.T0049

Cloud Service Discovery

SSRF request successfully reaches the cloud IMDS endpoint (169.254.169.254), returning IAM role names and temporary cloud credentials with the instance role's full permission set.

AML.T0075

Credential Theft & Impact

Attacker uses stolen IAM credentials from their own machine to perform lateral movement, exfiltrating AI training data, customer PII, or model artifacts from the victim's cloud infrastructure.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

8.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A Low

What should I do?

5 steps

PATCH

Upgrade Flowise to v3.1.0 immediately — this release extends SSRF controls to native Node.js modules within the NodeVM sandbox.
RESTRICT

If immediate patching is not possible, limit Custom Function access to administrator accounts only via Flowise RBAC settings.
NETWORK CONTROLS

Block outbound connections from the Flowise host to 169.254.169.254/32 (AWS/Azure IMDS), 169.254.170.2/32 (ECS Task Metadata), and fd00:ec2::254/128 (IPv6 IMDS) using host firewall rules or cloud security group egress policies.
IMDSV2: Enable IMDSv2 (PUT-token-required mode) on AWS EC2 instances running Flowise — the hop-limit-1 requirement blocks most SSRF-based metadata attacks without patching.
DETECT

Alert on outbound HTTP connections from the Flowise process to RFC 1918 and link-local ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) that fall outside expected application traffic patterns.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Framework Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.4 - AI System Security Controls

NIST AI RMF

MANAGE-2.2 - Mechanisms for Risk Treatment

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-41270?

Flowise's Custom Function feature allows authenticated users to bypass the application's SSRF protections by leveraging Node.js native http/https modules — permitted in the NodeVM sandbox — instead of the blocked axios/node-fetch libraries, granting unrestricted access to internal network resources including cloud provider metadata services. This is particularly dangerous in cloud-hosted Flowise deployments where the IMDS endpoint (169.254.169.254) exposes IAM credentials, enabling full cloud account takeover from a single compromised or malicious user account. With a public PoC available, EPSS in the top 86th percentile of all CVEs, and a CISA SSVC rating of ATTEND, exploitation is plausible even without active KEV listing — and Flowise's track record of 59 prior CVEs signals systemic security debt. Upgrade to Flowise 3.1.0 immediately; as an interim measure, restrict Custom Function access to trusted administrators and enforce network-level egress blocks on IMDS IP ranges.

Is CVE-2026-41270 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41270, increasing the risk of exploitation.

How to fix CVE-2026-41270?

1. PATCH: Upgrade Flowise to v3.1.0 immediately — this release extends SSRF controls to native Node.js modules within the NodeVM sandbox. 2. RESTRICT: If immediate patching is not possible, limit Custom Function access to administrator accounts only via Flowise RBAC settings. 3. NETWORK CONTROLS: Block outbound connections from the Flowise host to 169.254.169.254/32 (AWS/Azure IMDS), 169.254.170.2/32 (ECS Task Metadata), and fd00:ec2::254/128 (IPv6 IMDS) using host firewall rules or cloud security group egress policies. 4. IMDSV2: Enable IMDSv2 (PUT-token-required mode) on AWS EC2 instances running Flowise — the hop-limit-1 requirement blocks most SSRF-based metadata attacks without patching. 5. DETECT: Alert on outbound HTTP connections from the Flowise process to RFC 1918 and link-local ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) that fall outside expected application traffic patterns.

What systems are affected by CVE-2026-41270?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM flow builders, cloud-hosted AI platforms, multi-tenant AI builder platforms.

What is the CVSS score for CVE-2026-41270?

CVE-2026-41270 has a CVSS v3.1 base score of 8.3 (HIGH). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM flow builderscloud-hosted AI platformsmulti-tenant AI builder platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker with a standard Flowise user account — obtained via credential stuffing, phishing, or as a malicious insider — opens the Custom Function editor within an LLM flow. They write a function using Node.js built-in `require('http').get('http://169.254.169.254/latest/meta-data/iam/security-credentials/', ...)` to query the AWS instance metadata service. Because HTTP_DENY_LIST only intercepts axios and node-fetch calls, the native http request bypasses all SSRF protections and returns the list of attached IAM roles. The attacker queries the role-specific endpoint to extract AccessKeyId, SecretAccessKey, and Token. Using these credentials from their own machine via the AWS CLI, they enumerate S3 buckets, RDS instances, and Secrets Manager entries, subsequently exfiltrating training data, customer PII, or proprietary model artifacts from the victim's AI infrastructure — all traceable only to the Flowise host's identity, not the attacker's.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.