CVE-2026-41272: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core securi
Summary
Flowise, a tool with a drag-and-drop interface for building customized AI workflows, had security flaws in its request-blocking system before version 3.1.0. These flaws allowed attackers to bypass security protections through DNS Rebinding (a technique where a domain name's IP address changes between security checks) or by exploiting a default configuration that didn't enforce any blocklist, potentially enabling SSRF attacks (Server-Side Request Forgery, where an attacker tricks a server into making unwanted requests).
Solution / Mitigation
Upgrade to version 3.1.0, where this vulnerability is fixed.
Vulnerability Details
7.1(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
network
high
low
none
April 23, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41272
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 92%