AI Threat Alert

CVE-2026-41271: Flowise: SSRF via prompt template injection in API Chain

HIGH PoC AVAILABLE CISA: ATTEND
Published April 23, 2026
CISO Take

CVE-2026-41271 is a Server-Side Request Forgery vulnerability in Flowise's API Chain components that allows low-privileged attackers to inject malicious prompt templates and force the server to make arbitrary HTTP requests to internal services. For organizations using Flowise to orchestrate LLM workflows, this creates a direct path from the public API to internal network resources — think cloud metadata endpoints (AWS IMDS), internal databases, and backend services that assume network isolation as their only defense. A public PoC already exists and EPSS places this in the top 81st percentile for exploitation likelihood, meaning skilled attackers are likely already scanning for exposed instances. Patch to Flowise 3.1.0 immediately; if patching is not yet feasible, restrict API access to authenticated sessions only and enforce egress filtering on the Flowise container to block RFC 1918 and cloud metadata address ranges.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

HIGH. Network-accessible SSRF with low privilege requirement, no user interaction, an available PoC, and CISA SSVC rated ATTEND represents a credible near-term exploitation risk. Impact is amplified in cloud-hosted deployments where SSRF reaches metadata services to harvest IAM credentials. The 59 other CVEs in the same package signal a history of inadequate security practices in this codebase, warranting elevated scrutiny of any Flowise deployment in sensitive environments.

How does the attack unfold?

Initial Access
Attacker identifies an exposed Flowise instance and obtains low-privilege API access to the API Chain component, either via a trial account or stolen credentials.
AML.T0049
Prompt Injection
Attacker crafts a malicious prompt template submitted to the API Chain POST/GET endpoint, injecting URL overrides that bypass the intended API documentation constraints.
AML.T0051.000
Internal Reconnaissance
The Flowise server executes attacker-specified HTTP requests to internal targets (cloud metadata service at 169.254.169.254, internal APIs, RFC 1918 hosts), returning responses through the workflow output channel.
AML.T0006
Data Exfiltration
Attacker harvests sensitive data from internal service responses, including cloud IAM credentials, internal API data, and network topology information usable for further lateral movement.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
8.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 14% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A Low

What should I do?

5 steps

  1. PATCH

    Upgrade to Flowise 3.1.0 — the only confirmed fix.

  2. NETWORK ISOLATION

    Place Flowise behind an authenticated reverse proxy; block unauthenticated access to the API Chain endpoint at the network perimeter.

  3. EGRESS FILTERING

    Restrict outbound HTTP from the Flowise container to explicitly whitelisted endpoints; block RFC 1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254, 100.64.0.0/10).

  4. CLOUD HARDENING

    Enforce IMDSv2 on EC2 instances and equivalent protections on GCP/Azure to limit SSRF impact even if patching is delayed.

  5. DETECTION

    Alert on HTTP requests from the Flowise process/container targeting internal IP ranges or metadata endpoints; review Flowise API logs for unusual template payloads containing internal hostnames or IPs.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Prompt Injection Data Extraction Agent Framework AML.T0006 AML.T0025 AML.T0049 AML.T0051.000 AML.T0053

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI System Security Testing and Validation
NIST AI RMF
MANAGE 2.2 - AI Risk Response and Treatment
OWASP LLM Top 10
LLM01:2025 - Prompt Injection LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-41271?

CVE-2026-41271 is a Server-Side Request Forgery vulnerability in Flowise's API Chain components that allows low-privileged attackers to inject malicious prompt templates and force the server to make arbitrary HTTP requests to internal services. For organizations using Flowise to orchestrate LLM workflows, this creates a direct path from the public API to internal network resources — think cloud metadata endpoints (AWS IMDS), internal databases, and backend services that assume network isolation as their only defense. A public PoC already exists and EPSS places this in the top 81st percentile for exploitation likelihood, meaning skilled attackers are likely already scanning for exposed instances. Patch to Flowise 3.1.0 immediately; if patching is not yet feasible, restrict API access to authenticated sessions only and enforce egress filtering on the Flowise container to block RFC 1918 and cloud metadata address ranges.

Is CVE-2026-41271 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-41271, increasing the risk of exploitation.

How to fix CVE-2026-41271?

1. PATCH: Upgrade to Flowise 3.1.0 — the only confirmed fix. 2. NETWORK ISOLATION: Place Flowise behind an authenticated reverse proxy; block unauthenticated access to the API Chain endpoint at the network perimeter. 3. EGRESS FILTERING: Restrict outbound HTTP from the Flowise container to explicitly whitelisted endpoints; block RFC 1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254, 100.64.0.0/10). 4. CLOUD HARDENING: Enforce IMDSv2 on EC2 instances and equivalent protections on GCP/Azure to limit SSRF impact even if patching is delayed. 5. DETECTION: Alert on HTTP requests from the Flowise process/container targeting internal IP ranges or metadata endpoints; review Flowise API logs for unusual template payloads containing internal hostnames or IPs.

What systems are affected by CVE-2026-41271?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM workflow platforms, API integration pipelines, Cloud-hosted AI deployments.

What is the CVSS score for CVE-2026-41271?

CVE-2026-41271 has a CVSS v3.1 base score of 8.3 (HIGH). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksLLM workflow platformsAPI integration pipelinesCloud-hosted AI deployments

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0051.000 Direct
AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM01:2025, LLM06:2025

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker with a low-privilege API credential (or none, if the instance runs without auth) crafts a POST request to Flowise's API Chain endpoint with a prompt template that injects a URL override pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on an AWS-hosted deployment. The LLM processes the template and the server makes the HTTP request, returning the AWS IAM role credentials in the workflow response. With a working PoC already public, this can be scripted to scan for exposed Flowise instances and automatically harvest credentials — requiring no AI or ML expertise, just knowledge of the target endpoint URL.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

References

Timeline

Published
April 23, 2026
Last Modified
April 24, 2026
First Seen
April 23, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2026-46442 9.9

Flowise: sandbox escape enables authenticated RCE

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2026-56274 9.9

Flowise: RCE via MCP server command validation bypass

Same package: flowise
Back to Threat Feed