GHSA-m837-xvxr-vqwg: Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
Summary
Flowise, an AI tool, has a hardcoded setting that allows any webpage on the internet to make requests to its text-to-speech (TTS, a feature that converts written text into spoken audio) endpoint using your stored credentials. This bypasses the server's normal cross-origin request protection (CORS, which controls what websites can access a server's data), letting malicious webpages secretly generate speech on your behalf.
Solution / Mitigation
Remove the hardcoded CORS wildcard headers from the TTS endpoint. Specifically, delete these lines from `packages/server/src/controllers/text-to-speech/index.ts` at line 83: `res.setHeader('Access-Control-Allow-Origin', '*')` and `res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')`. This allows the server's standard CORS middleware to handle access control instead.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-m837-xvxr-vqwg
First tracked: May 20, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%