Flowise SSRF Bypass: Internal Network at Risk
The National Vulnerability Database has detailed CVE-2026-41270, a critical Server-Side Request Forgery (SSRF) protection bypass in Flowise, a drag-and-drop UI for building custom LLM flows. Prior to version 3.1.0, Flowise’s Custom Function feature allowed authenticated users to circumvent existing SSRF controls. While the application uses HTTP_DENY_LIST for axios and node-fetch libraries, it leaves built-in Node.js http, https, and net modules unprotected within its NodeVM sandbox.
This oversight means an authenticated attacker can leverage these unmonitored modules to bypass the intended SSRF protections. The implications are significant: direct access to internal network resources becomes possible. This includes sensitive targets like cloud provider metadata services, which often contain credentials and configuration data critical for further compromise. The vulnerability carries a CVSS score of 7.1 (HIGH), underscoring its potential impact.
For defenders, this means a clear, direct path to internal systems if Flowise instances are exposed and unpatched. The attacker’s calculus is simple: gain authenticated access to Flowise, then exploit this bypass to pivot deeper into the network. This isn’t theoretical; it’s a blueprint for lateral movement and privilege escalation. The fix is in version 3.1.0, and immediate patching is non-negotiable for anyone running Flowise.
What This Means For You
- If your organization uses Flowise for LLM development, you must immediately verify that all instances are updated to version 3.1.0 or later. Prior versions are vulnerable to an SSRF bypass that allows authenticated users to access internal network resources, including critical cloud metadata services. Patching is your only defense against this direct path to your internal infrastructure.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Flowise SSRF Bypass via Custom Function - Free Tier
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41270 | SSRF | Flowise < 3.1.0 |
| CVE-2026-41270 | SSRF | Flowise Custom Function feature |
| CVE-2026-41270 | SSRF | Bypass of HTTP_DENY_LIST for axios and node-fetch by using Node.js http, https, and net modules in NodeVM sandbox |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Breeze Cache Plugin Exploit: Unauthenticated File Upload Hits WordPress
BleepingComputer reports active exploitation of a critical file upload vulnerability in the Breeze Cache WordPress plugin. This flaw allows unauthenticated attackers to upload arbitrary files...
Critical RCE Flaw in radare2-mcp: Command Injection via JSON-RPC
CVE-2026-6942 — radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command...
CVE-2026-6941 — Its Project Notes Handling That Path Traversal
CVE-2026-6941 — radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside...