CVE-2026-41271

HighPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0010 27.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41271 is a high-severity SSRF (CWE-918) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates information inputs to POST/GET API Chain components to block malicious prompt templates that trigger SSRF requests.

AC-4 Information Flow Enforcement good match

prevent

Enforces approved information flow control policies to restrict server-initiated HTTP requests to only authorized internal and external destinations, preventing SSRF exploitation.

SC-7 Boundary Protection partial match

preventdetect

Monitors and controls communications at system boundaries to block or detect unauthorized outbound HTTP requests to internal services induced by SSRF.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1018 Remote System Discovery Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF vulnerability in public-facing web application (Flowise) directly enables T1190 for initial exploitation; facilitates internal reconnaissance via T1018 (Remote System Discovery) and T1046 (Network Service Discovery) by allowing arbitrary HTTP requests to internal systems.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server…

to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.

Deeper analysisAI

CVE-2026-41271 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The issue resides in the POST/GET API Chain components in versions prior to 3.1.0, allowing attackers to force the server to initiate unintended HTTP requests. Published on 2026-04-23, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), rated High severity due to its potential for high confidentiality and integrity impact.

Unauthenticated attackers can exploit the vulnerability by injecting malicious prompt templates into the API Chain components, bypassing intended API documentation constraints. This enables redirection of server requests to arbitrary internal and external systems, facilitating internal network reconnaissance and potential data exfiltration from sensitive services.

The vulnerability is addressed in Flowise version 3.1.0. Advisories recommend upgrading to this patched release to mitigate the SSRF risk. Additional details are available in the GitHub security advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8.

Details

CWE(s): CWE-918

Affected Products

flowiseai

flowise

≤ 3.1.0

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: Privacy and Disclosure
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: large language model

CVEs Like This One

CVE-2026-41272Same product: Flowiseai Flowise

CVE-2026-31829Same product: Flowiseai Flowise

CVE-2026-41270Same product: Flowiseai Flowise

CVE-2026-41274Same product: Flowiseai Flowise

CVE-2026-41277Same product: Flowiseai Flowise

CVE-2026-41264Same product: Flowiseai Flowise

CVE-2026-41278Same product: Flowiseai Flowise

CVE-2026-30824Same product: Flowiseai Flowise

CVE-2026-41268Same product: Flowiseai Flowise

CVE-2026-41265Same product: Flowiseai Flowise

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0