Loading
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13.
Use CWE-918, Flowiseai vendor hub and Flowise product page to widen CVE-2026-31829 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-41268, CVE-2026-41278 and CVE-2026-41271 for nearby disclosures in the same product family.