CVE-2026-43995 — UNKNOWN AI Security Vulnerability

CISO Take

Flowise versions prior to 3.1.0 contain a Server-Side Request Forgery (SSRF) vulnerability where four built-in agent tools — OpenAPIToolkit, WebScraperTool, MCP core, and Arxiv — bypass the platform's secured HTTP wrapper and invoke raw HTTP clients (node-fetch, axios) directly, stripping any outbound request controls. For organizations running Flowise as their LLM orchestration layer, this means an attacker who can craft or inject a malicious flow — including via prompt injection into an agent that auto-invokes these tools — can reach cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), internal APIs, and other RFC-1918 resources inaccessible from the public internet. No CVSS score is assigned yet, there is no public exploit and it is not in CISA KEV, but Flowise is widely deployed in agentic AI stacks where cloud credential exposure from metadata SSRF is a well-understood, high-value target. Patch to Flowise 3.1.0 immediately; if you cannot patch, disable or restrict the four affected tools and implement egress firewall rules blocking cloud metadata IP ranges from your Flowise host.

Sources: GitHub Advisory NVD ATLAS

Risk Assessment

Medium-High. The SSRF vector is straightforward — CWE-918 via unprotected HTTP clients in commonly-used agent tools. The secured wrapper bypass implies Flowise's own defenses were designed to prevent exactly this class of request, meaning the patch exists and the risk is architectural rather than novel. No public exploit or scanner template exists yet, and EPSS is unavailable, reducing immediate opportunistic risk. However, Flowise is popular in agentic AI deployments where the tools affected (WebScraper, OpenAPI, MCP) are core workflow components. Cloud-hosted deployments are at highest risk due to metadata SSRF enabling IAM credential theft. On-premise deployments face internal network reconnaissance risk.

Attack Kill Chain

Tool Targeting

Attacker identifies a Flowise deployment using WebScraperTool, OpenAPIToolkit, MCP, or Arxiv tools in a flow accessible to external or low-privilege users.

AML.T0084.001

SSRF Trigger

Attacker submits a crafted input (URL or API endpoint) that causes the vulnerable tool to invoke a raw HTTP client (axios/node-fetch) against an internal target such as the AWS metadata endpoint.

AML.T0049

Credential Harvesting

The unguarded HTTP client fetches the internal resource (e.g., IAM credentials from 169.254.169.254) and the response is processed by the LLM, surfacing sensitive data in the output or tool response.

AML.T0083

Lateral Movement

Harvested cloud credentials are used outside Flowise to access S3 buckets, databases, or other cloud resources containing training data, model artifacts, or user data.

AML.T0086

Tool Targeting

Attacker identifies a Flowise deployment using WebScraperTool, OpenAPIToolkit, MCP, or Arxiv tools in a flow accessible to external or low-privilege users.

AML.T0084.001

SSRF Trigger

Attacker submits a crafted input (URL or API endpoint) that causes the vulnerable tool to invoke a raw HTTP client (axios/node-fetch) against an internal target such as the AWS metadata endpoint.

AML.T0049

Credential Harvesting

The unguarded HTTP client fetches the internal resource (e.g., IAM credentials from 169.254.169.254) and the response is processed by the LLM, surfacing sensitive data in the output or tool response.

AML.T0083

Lateral Movement

Harvested cloud credentials are used outside Flowise to access S3 buckets, databases, or other cloud resources containing training data, model artifacts, or user data.

AML.T0086

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

6 steps

Patch: Upgrade Flowise to 3.1.0 immediately — this is the only complete fix.
If patching is blocked: disable WebScraperTool, OpenAPIToolkit, MCP core, and Arxiv tools in affected flows.
Network controls: Block outbound HTTP from the Flowise host to cloud metadata ranges (169.254.169.254, 100.100.100.200) and RFC-1918 space at the host firewall level.
IMDSv2 enforcement: If running on AWS EC2, enforce IMDSv2 (PUT-based token required) to mitigate metadata SSRF even if exploited.
Detection: Monitor Flowise host outbound HTTP logs for requests to internal IP ranges, metadata endpoints, or unexpected internal hostnames.
Audit flows: Review all deployed Flowise flows for use of the four affected tools and assess blast radius if SSRF were achieved from each deployment context.

Classification

Code Execution Data Extraction Auth Bypass Agent Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.2 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployment are evaluated and applied

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-43995?

Flowise versions prior to 3.1.0 contain a Server-Side Request Forgery (SSRF) vulnerability where four built-in agent tools — OpenAPIToolkit, WebScraperTool, MCP core, and Arxiv — bypass the platform's secured HTTP wrapper and invoke raw HTTP clients (node-fetch, axios) directly, stripping any outbound request controls. For organizations running Flowise as their LLM orchestration layer, this means an attacker who can craft or inject a malicious flow — including via prompt injection into an agent that auto-invokes these tools — can reach cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), internal APIs, and other RFC-1918 resources inaccessible from the public internet. No CVSS score is assigned yet, there is no public exploit and it is not in CISA KEV, but Flowise is widely deployed in agentic AI stacks where cloud credential exposure from metadata SSRF is a well-understood, high-value target. Patch to Flowise 3.1.0 immediately; if you cannot patch, disable or restrict the four affected tools and implement egress firewall rules blocking cloud metadata IP ranges from your Flowise host.

Is CVE-2026-43995 actively exploited?

No confirmed active exploitation of CVE-2026-43995 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-43995?

1. Patch: Upgrade Flowise to 3.1.0 immediately — this is the only complete fix. 2. If patching is blocked: disable WebScraperTool, OpenAPIToolkit, MCP core, and Arxiv tools in affected flows. 3. Network controls: Block outbound HTTP from the Flowise host to cloud metadata ranges (169.254.169.254, 100.100.100.200) and RFC-1918 space at the host firewall level. 4. IMDSv2 enforcement: If running on AWS EC2, enforce IMDSv2 (PUT-based token required) to mitigate metadata SSRF even if exploited. 5. Detection: Monitor Flowise host outbound HTTP logs for requests to internal IP ranges, metadata endpoints, or unexpected internal hostnames. 6. Audit flows: Review all deployed Flowise flows for use of the four affected tools and assess blast radius if SSRF were achieved from each deployment context.

What systems are affected by CVE-2026-43995?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM workflows, MCP tool integrations.

What is the CVSS score for CVE-2026-43995?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.

Exploitation Scenario

An attacker targets an organization's Flowise deployment used for an internal research assistant that auto-scrapes URLs from user queries. The attacker submits a query containing a URL pointing to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` — WebScraperTool, using raw axios without the secured wrapper's SSRF protection, fetches the endpoint and returns temporary AWS IAM credentials. The LLM processes the credential response and may surface them in its output or the attacker exfiltrates them via a follow-up injection. With short-lived EC2 role credentials, the attacker then pivots to S3 buckets containing training data, vector database dumps, or other sensitive AI artifacts.