CVE-2026-41270 - Vulnerability Analysis
HighCVSS: 7.1Last Updated: April 24, 2026
Flowise - Server Side Request Forgery
Published: April 23, 2026Updated: April 24, 2026PoC AvailableRemote Exploitable
Overview
Flowise < 3.1.0 contains a server side request forgery protection bypass caused by incomplete SSRF filtering in Custom Function feature allowing use of Node.js http, https, and net modules, letting authenticated users access internal network resources.
Severity & Score
Severity: High
CVSS Score: 7.1
Impact
Authenticated users can bypass SSRF protections to access internal network resources, potentially exposing sensitive internal data.
Mitigation
Update to version 3.1.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41270
- Severity
- High
- CVSS Score
- 7.1
- Type
- server_side_request_forgery
- Status
- confirmed
CWE
- CWE-284
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L