{"data":{"id":"3f5b8e7a-9823-44c0-960d-71bf00127372","title":"CVE-2026-41270: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side R","summary":"Flowise, a tool for building custom AI workflows through a visual interface, had a vulnerability in versions before 3.1.0 where authenticated users could bypass SSRF protection (a security control that prevents the application from making requests to internal networks). The issue occurred because the Custom Function feature blocked some ways of making network requests but left others unprotected, allowing attackers to potentially access sensitive internal resources like cloud provider metadata services.","solution":"This vulnerability is fixed in version 3.1.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-41270","publishedAt":"2026-04-23T20:16:15.547Z","cveId":"CVE-2026-41270","cweIds":["CWE-284","CWE-918"],"cvssScore":"7.1","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","attackVector":"network","attackComplexity":"high","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-23T20:16:15.547Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0010"]}}