CVE-2026-41270

HighPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

25 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0004 13.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41270 is a high-severity Improper Access Control (CWE-284) vulnerability in Flowiseai Flowise. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly mitigating this CVE by patching Flowise to version 3.1.0 which fixes the SSRF bypass in the NodeVM sandbox.

AC-4 Information Flow Enforcement good match

prevent

AC-4 enforces information flow control policies that prevent custom functions from bypassing SSRF protections to access internal network resources via unprotected Node.js modules.

CM-7 Least Functionality good match

prevent

CM-7 implements least functionality by restricting or disabling unnecessary network modules like Node.js http, https, and net within the sandboxed custom function environment.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.005 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

SSRF bypass in public-facing web app (Flowise) enables T1190 for initial access; explicit support for requests to cloud metadata services enables T1552.005 for credential/data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via…

HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0.

Deeper analysisAI

CVE-2026-41270 is a Server-Side Request Forgery (SSRF) protection bypass vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The issue affects versions prior to 3.1.0 and resides in the Custom Function feature, where SSRF protections are implemented via an HTTP_DENY_LIST for the axios and node-fetch libraries. However, the built-in Node.js http, https, and net modules remain unrestricted within the NodeVM sandbox, enabling attackers to circumvent these controls. The vulnerability is associated with CWE-284 (Improper Access Control) and CWE-918 (SSRF), with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L).

Authenticated users with low privileges (PR:L) can exploit this vulnerability over the network, though it requires high attack complexity (AC:H). By crafting custom functions that leverage the unprotected Node.js modules, attackers can bypass SSRF mitigations and make unauthorized requests to internal network resources, such as cloud provider metadata services. Successful exploitation grants high confidentiality and integrity impacts (C:H/I:H), along with low availability impact (A:L), potentially allowing attackers to exfiltrate sensitive data or pivot within the internal network.

The official GitHub security advisory (GHSA-xhmj-rg95-44hv) confirms that the vulnerability is fully remediated in Flowise version 3.1.0, recommending that users upgrade immediately to mitigate the risk. No additional workarounds are detailed in the provided information.

Flowise's focus on LLM orchestration introduces AI/ML relevance, as exploited instances could compromise AI workflows by accessing internal services that inform model behaviors or data pipelines. No evidence of real-world exploitation is available in the provided details.

Details

CWE(s): CWE-284 CWE-918

Affected Products

flowiseai

flowise

≤ 3.1.0

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: large language model

CVEs Like This One

CVE-2026-31829Same product: Flowiseai Flowise

CVE-2026-41272Same product: Flowiseai Flowise

CVE-2026-41277Same product: Flowiseai Flowise

CVE-2026-41271Same product: Flowiseai Flowise

CVE-2026-41274Same product: Flowiseai Flowise

CVE-2026-30824Same product: Flowiseai Flowise

CVE-2026-41268Same product: Flowiseai Flowise

CVE-2026-41269Same product: Flowiseai Flowise

CVE-2026-41273Same product: Flowiseai Flowise

CVE-2026-41266Same product: Flowiseai Flowise

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-xhmj-rg95-44hv
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-xhmj-rg95-44hv
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0