Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
CVE-2026-43995: Flowise: Unsecured HTTP Client Use Prior to 3.1.0
CVE-2026-43995
Summary
Flowise's drag and drop interface had a security issue with how it made HTTP requests. This could have allowed hackers to intercept sensitive information. Update to Flowise 3.1.0 to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| flowiseai | flowise |
< 3.1.0 cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:* |
Original title
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios...
Original description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.
nvd CVSS4.0
5.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 11 May 2026 · Updated: 28 May 2026 · First seen: 11 May 2026