CVE-2026-31829

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-31829

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31829.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-31829

Aliases

GHSA-fvcw-9w9r-pxc7

Published

2026-03-10T21:43:58.549Z

Modified

2026-04-10T05:42:09.701339Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Summary

Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access

Details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31829.json"
}

References

Affected packages

Git / github.com/flowiseai/flowise

Affected ranges

Type: GIT
Repo: https://github.com/flowiseai/flowise
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f0c1294173a55f26e0b972c39c0c16917f5ca9e7

Affected versions

flowise-components@1.*

flowise-components@1.0.0

flowise-components@1.1.0

flowise-components@1.1.1

flowise-components@1.2.1

flowise-components@1.2.10

flowise-components@1.2.12

flowise-components@1.2.14

flowise-components@1.2.15

flowise-components@1.2.16

flowise-components@1.2.17

flowise-components@1.2.2

flowise-components@1.2.3

flowise-components@1.2.4

flowise-components@1.2.5

flowise-components@1.2.6

flowise-components@1.2.7

flowise-components@1.2.8

flowise-components@1.2.9

flowise-components@1.3.0

flowise-components@1.3.1

flowise-components@1.3.10

flowise-components@1.3.11

flowise-components@1.3.2

flowise-components@1.3.3

flowise-components@1.3.4

flowise-components@1.3.5

flowise-components@1.3.7

flowise-components@1.3.8

flowise-components@1.3.9

flowise-components@1.4.0

flowise-components@1.4.1

flowise-components@1.4.2

flowise-components@1.4.6

flowise-components@1.4.7

flowise-components@1.4.8

flowise-components@1.4.9

flowise-components@1.5.0

flowise-components@1.5.1

flowise-components@1.5.2

flowise-components@1.5.3

flowise-components@1.6.0

flowise-components@1.6.1

flowise-components@1.6.2

flowise-components@1.6.3

flowise-components@1.6.4

flowise-components@1.6.5

flowise-components@1.6.6

flowise-components@1.6.7

flowise-components@1.6.8

flowise-components@1.7.0

flowise-components@1.7.1

flowise-components@1.7.2

flowise-components@1.8.0

flowise-components@1.8.1

flowise-components@1.8.3

flowise-components@1.8.4

flowise-components@1.8.6

flowise-components@2.*

flowise-components@2.0.2

flowise-components@2.0.3

flowise-components@2.0.4

flowise-components@2.0.5

flowise-components@2.0.6

flowise-components@2.0.7

flowise-components@2.1.0

flowise-components@2.1.1

flowise-components@2.1.2

flowise-components@2.1.3

flowise-components@2.1.4

flowise-components@2.1.5

flowise-components@2.2.0

flowise-components@2.2.1

flowise-components@2.2.2

flowise-components@2.2.3

flowise-components@2.2.4

flowise-components@2.2.5

flowise-components@2.2.6

flowise-components@2.2.7

flowise-components@2.2.7-patch.1

flowise-components@2.2.8

flowise-components@3.*

flowise-components@3.0.0

flowise-components@3.0.1

flowise-components@3.0.10

flowise-components@3.0.11

flowise-components@3.0.12

flowise-components@3.0.2

flowise-components@3.0.3

flowise-components@3.0.4

flowise-components@3.0.5

flowise-components@3.0.6

flowise-components@3.0.7

flowise-components@3.0.8

flowise-components@3.0.9

flowise-ui@1.*

flowise-ui@1.0.0

flowise-ui@1.1.0

flowise-ui@1.2.0

flowise-ui@1.2.1

flowise-ui@1.2.10

flowise-ui@1.2.12

flowise-ui@1.2.13

flowise-ui@1.2.14

flowise-ui@1.2.15

flowise-ui@1.2.2

flowise-ui@1.2.3

flowise-ui@1.2.4

flowise-ui@1.2.5

flowise-ui@1.2.6

flowise-ui@1.2.7

flowise-ui@1.3.0

flowise-ui@1.3.1

flowise-ui@1.3.2

flowise-ui@1.3.3

flowise-ui@1.3.4

flowise-ui@1.3.5

flowise-ui@1.3.6

flowise-ui@1.3.7

flowise-ui@1.4.0

flowise-ui@1.4.2

flowise-ui@1.4.3

flowise-ui@1.4.4

flowise-ui@1.4.5

flowise-ui@1.4.6

flowise-ui@1.4.7

flowise-ui@1.4.8

flowise-ui@1.4.9

flowise-ui@1.5.0

flowise-ui@1.5.1

flowise-ui@1.6.0

flowise-ui@1.6.1

flowise-ui@1.6.2

flowise-ui@1.6.3

flowise-ui@1.6.4

flowise-ui@1.6.5

flowise-ui@1.6.6

flowise-ui@1.7.0

flowise-ui@1.7.1

flowise-ui@1.7.2

flowise-ui@1.8.0

flowise-ui@1.8.1

flowise-ui@1.8.2

flowise-ui@1.8.3

flowise-ui@1.8.4

flowise-ui@2.*

flowise-ui@2.0.2

flowise-ui@2.0.3

flowise-ui@2.0.4

flowise-ui@2.0.5

flowise-ui@2.0.6

flowise-ui@2.0.7

flowise-ui@2.1.0

flowise-ui@2.1.1

flowise-ui@2.1.2

flowise-ui@2.1.3

flowise-ui@2.1.4

flowise-ui@2.1.5

flowise-ui@2.2.0

flowise-ui@2.2.1

flowise-ui@2.2.2

flowise-ui@2.2.3

flowise-ui@2.2.4

flowise-ui@2.2.5

flowise-ui@2.2.6

flowise-ui@2.2.7

flowise-ui@2.2.7-patch.1

flowise-ui@2.2.8

flowise-ui@3.*

flowise-ui@3.0.0

flowise-ui@3.0.1

flowise-ui@3.0.10

flowise-ui@3.0.11

flowise-ui@3.0.12

flowise-ui@3.0.2

flowise-ui@3.0.3

flowise-ui@3.0.4

flowise-ui@3.0.5

flowise-ui@3.0.6

flowise-ui@3.0.7

flowise-ui@3.0.8

flowise-ui@3.0.9

flowise@1.*

flowise@1.0.0

flowise@1.0.1

flowise@1.1.0

flowise@1.1.1

flowise@1.2.1

flowise@1.2.11

flowise@1.2.13

flowise@1.2.14

flowise@1.2.15

flowise@1.2.16

flowise@1.2.2

flowise@1.2.3

flowise@1.2.4

flowise@1.2.5

flowise@1.2.6

flowise@1.2.7

flowise@1.2.8

flowise@1.2.9

flowise@1.3.0

flowise@1.3.1

flowise@1.3.2

flowise@1.3.3

flowise@1.3.4

flowise@1.3.5

flowise@1.3.6

flowise@1.3.7

flowise@1.3.8

flowise@1.3.9

flowise@1.4.0

flowise@1.4.1

flowise@1.4.10

flowise@1.4.11

flowise@1.4.12

flowise@1.4.2

flowise@1.4.4

flowise@1.4.5

flowise@1.4.6

flowise@1.4.7

flowise@1.4.8

flowise@1.4.9

flowise@1.5.0

flowise@1.5.1

flowise@1.6.0

flowise@1.6.1

flowise@1.6.2

flowise@1.6.3

flowise@1.6.4

flowise@1.6.5

flowise@1.6.6

flowise@1.7.0

flowise@1.7.1

flowise@1.7.2

flowise@1.8.0

flowise@1.8.1

flowise@1.8.2

flowise@1.8.3

flowise@1.8.4

flowise@2.*

flowise@2.0.2

flowise@2.0.3

flowise@2.0.4

flowise@2.0.5

flowise@2.0.6

flowise@2.0.7

flowise@2.1.0

flowise@2.1.1

flowise@2.1.2

flowise@2.1.3

flowise@2.1.4

flowise@2.1.5

flowise@2.2.0

flowise@2.2.1

flowise@2.2.2

flowise@2.2.3

flowise@2.2.4

flowise@2.2.5

flowise@2.2.6

flowise@2.2.6-hotfix.1

flowise@2.2.7

flowise@2.2.7-patch.1

flowise@2.2.8

flowise@3.*

flowise@3.0.0

flowise@3.0.1

flowise@3.0.10

flowise@3.0.11

flowise@3.0.12

flowise@3.0.2

flowise@3.0.3

flowise@3.0.4

flowise@3.0.5

flowise@3.0.6

flowise@3.0.7

flowise@3.0.8

flowise@3.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31829.json"