CVE-2026-41271: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side R
highvulnerabilityLLM-Specific
security
Summary
Flowise, a tool with a drag-and-drop interface for building AI workflows, had a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended locations) in versions before 3.1.0 that let unauthenticated attackers force the server to send requests to internal or external systems by injecting malicious instructions into prompt templates. This could allow attackers to explore internal networks and steal data.
Solution / Mitigation
Update to version 3.1.0, where the vulnerability is fixed.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
April 23, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41271
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 92%