AI Threat Alert

CVE-2026-43995: Flowise: SSRF in agent tools bypasses security wrapper

CRITICAL CISA: TRACK*
Published May 11, 2026
CISO Take

Flowise versions prior to 3.1.0 contain a Server-Side Request Forgery (SSRF) vulnerability where four built-in agent tools — OpenAPIToolkit, WebScraperTool, MCP core, and Arxiv — bypass the platform's secured HTTP wrapper and invoke raw HTTP clients (node-fetch, axios) directly, stripping any outbound request controls. For organizations running Flowise as their LLM orchestration layer, this means an attacker who can craft or inject a malicious flow — including via prompt injection into an agent that auto-invokes these tools — can reach cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), internal APIs, and other RFC-1918 resources inaccessible from the public internet. No CVSS score is assigned yet, there is no public exploit and it is not in CISA KEV, but Flowise is widely deployed in agentic AI stacks where cloud credential exposure from metadata SSRF is a well-understood, high-value target. Patch to Flowise 3.1.0 immediately; if you cannot patch, disable or restrict the four affected tools and implement egress firewall rules blocking cloud metadata IP ranges from your Flowise host.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Medium-High. The SSRF vector is straightforward — CWE-918 via unprotected HTTP clients in commonly-used agent tools. The secured wrapper bypass implies Flowise's own defenses were designed to prevent exactly this class of request, meaning the patch exists and the risk is architectural rather than novel. No public exploit or scanner template exists yet, and EPSS is unavailable, reducing immediate opportunistic risk. However, Flowise is popular in agentic AI deployments where the tools affected (WebScraper, OpenAPI, MCP) are core workflow components. Cloud-hosted deployments are at highest risk due to metadata SSRF enabling IAM credential theft. On-premise deployments face internal network reconnaissance risk.

How does the attack unfold?

Tool Targeting
Attacker identifies a Flowise deployment using WebScraperTool, OpenAPIToolkit, MCP, or Arxiv tools in a flow accessible to external or low-privilege users.
AML.T0084.001
SSRF Trigger
Attacker submits a crafted input (URL or API endpoint) that causes the vulnerable tool to invoke a raw HTTP client (axios/node-fetch) against an internal target such as the AWS metadata endpoint.
AML.T0049
Credential Harvesting
The unguarded HTTP client fetches the internal resource (e.g., IAM credentials from 169.254.169.254) and the response is processed by the LLM, surfacing sensitive data in the output or tool response.
AML.T0083
Lateral Movement
Harvested cloud credentials are used outside Flowise to access S3 buckets, databases, or other cloud resources containing training data, model artifacts, or user data.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: Upgrade Flowise to 3.1.0 immediately — this is the only complete fix.

  2. If patching is blocked: disable WebScraperTool, OpenAPIToolkit, MCP core, and Arxiv tools in affected flows.

  3. Network controls: Block outbound HTTP from the Flowise host to cloud metadata ranges (169.254.169.254, 100.100.100.200) and RFC-1918 space at the host firewall level.

  4. IMDSv2 enforcement: If running on AWS EC2, enforce IMDSv2 (PUT-based token required) to mitigate metadata SSRF even if exploited.

  5. Detection: Monitor Flowise host outbound HTTP logs for requests to internal IP ranges, metadata endpoints, or unexpected internal hostnames.

  6. Audit flows: Review all deployed Flowise flows for use of the four affected tools and assess blast radius if SSRF were achieved from each deployment context.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Auth Bypass Agent Framework Plugin AML.T0049 AML.T0051.001 AML.T0053 AML.T0083 AML.T0086

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.2 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain deployment are evaluated and applied
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-43995?

Flowise versions prior to 3.1.0 contain a Server-Side Request Forgery (SSRF) vulnerability where four built-in agent tools — OpenAPIToolkit, WebScraperTool, MCP core, and Arxiv — bypass the platform's secured HTTP wrapper and invoke raw HTTP clients (node-fetch, axios) directly, stripping any outbound request controls. For organizations running Flowise as their LLM orchestration layer, this means an attacker who can craft or inject a malicious flow — including via prompt injection into an agent that auto-invokes these tools — can reach cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), internal APIs, and other RFC-1918 resources inaccessible from the public internet. No CVSS score is assigned yet, there is no public exploit and it is not in CISA KEV, but Flowise is widely deployed in agentic AI stacks where cloud credential exposure from metadata SSRF is a well-understood, high-value target. Patch to Flowise 3.1.0 immediately; if you cannot patch, disable or restrict the four affected tools and implement egress firewall rules blocking cloud metadata IP ranges from your Flowise host.

Is CVE-2026-43995 actively exploited?

No confirmed active exploitation of CVE-2026-43995 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-43995?

1. Patch: Upgrade Flowise to 3.1.0 immediately — this is the only complete fix. 2. If patching is blocked: disable WebScraperTool, OpenAPIToolkit, MCP core, and Arxiv tools in affected flows. 3. Network controls: Block outbound HTTP from the Flowise host to cloud metadata ranges (169.254.169.254, 100.100.100.200) and RFC-1918 space at the host firewall level. 4. IMDSv2 enforcement: If running on AWS EC2, enforce IMDSv2 (PUT-based token required) to mitigate metadata SSRF even if exploited. 5. Detection: Monitor Flowise host outbound HTTP logs for requests to internal IP ranges, metadata endpoints, or unexpected internal hostnames. 6. Audit flows: Review all deployed Flowise flows for use of the four affected tools and assess blast radius if SSRF were achieved from each deployment context.

What systems are affected by CVE-2026-43995?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM workflows, MCP tool integrations.

What is the CVSS score for CVE-2026-43995?

CVE-2026-43995 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.40%.

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinesLLM workflowsMCP tool integrations

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0083 Credentials from AI Agent Configuration
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker targets an organization's Flowise deployment used for an internal research assistant that auto-scrapes URLs from user queries. The attacker submits a query containing a URL pointing to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` — WebScraperTool, using raw axios without the secured wrapper's SSRF protection, fetches the endpoint and returns temporary AWS IAM credentials. The LLM processes the credential response and may surface them in its output or the attacker exfiltrates them via a follow-up injection. With short-lived EC2 role credentials, the attacker then pivots to S3 buckets containing training data, vector database dumps, or other sensitive AI artifacts.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 11, 2026
Last Modified
May 20, 2026
First Seen
May 11, 2026

Related Vulnerabilities

CRITICAL CVE-2025-71338 10.0

Analysis pending

Same package: flowise
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-61913 9.9

Flowise: path traversal in file tools leads to RCE

Same package: flowise
CRITICAL CVE-2026-40933 9.9

Flowise: RCE via MCP stdio command injection

Same package: flowise
CRITICAL CVE-2026-46442 9.9

Flowise: sandbox escape enables authenticated RCE

Same package: flowise
Back to Threat Feed