Flowise: Nine Vulnerabilities Including RCE and SSRF Disclosed in Batch
Key findings • Nine vulnerabilities disclosed for Flowise between June 20-23, 2026, impacting versions prior to 3.1.2. • Critical flaws include Remote Code Execution (CVE-2026-56274, CVE-2024…
Key findings
- Nine vulnerabilities disclosed for Flowise between June 20-23, 2026, impacting versions prior to 3.1.2.
- Critical flaws include Remote Code Execution (CVE-2026-56274, CVE-2024-58351) and Server-Side Request Forgery (CVE-2026-56275).
- Information disclosure vulnerabilities (CVE-2026-56268, CVE-2026-56267) and authentication bypasses (CVE-2026-56276, CVE-2025-71337) are also present.
- Path traversal (CVE-2026-12821) and Cross-Site Scripting (CVE-2025-71331) further expand the attack surface.
- Patches are available in Flowise versions 3.1.2 and 3.0.13; immediate updates are recommended.
On June 20-23, 2026, a batch of nine vulnerabilities was disclosed for Flowise, an open-source low-code tool for building LLM applications. The vulnerabilities, affecting versions prior to 3.1.2, span critical security flaws including remote code execution (RCE), server-side request forgery (SSRF), and information disclosure. These issues were reported by multiple researchers and highlight significant security weaknesses in how Flowise handles user input, configuration, and inter-component communication. The disclosure window, spanning three days, indicates a coordinated release of findings impacting various aspects of the Flowise platform.
Several vulnerabilities center on remote code execution and command injection. CVE-2026-56274, disclosed on June 23rd and affecting versions before 3.1.2, details OS command injection flaws within the Custom MCP Server feature due to inadequate validation of command flags and a regex bypass for local file access. This allows an attacker with view/update permissions for chatflows to potentially execute arbitrary commands. Similarly, CVE-2024-58351, disclosed on June 20th and affecting versions before 2.1.4, permits RCE through the overrideConfig parameter, which can inject malicious configurations into the Chainflow during execution via the frontend or backend API.
Server-side request forgery (SSRF) is another significant concern. CVE-2026-56275, disclosed on June 23rd and impacting versions before 3.1.0, allows attackers to exploit the Execute Flow node by providing intranet addresses through the base URL field. This enables requests to internal network resources and cloud metadata. Additionally, CVE-2026-12821, disclosed on June 21st and affecting versions up to 3.1.2, involves a path traversal vulnerability in the S3 Document Loader component (packages/components/nodes/documentloaders/S3/S3.ts), enabling remote attacks.
Information disclosure vulnerabilities are also prevalent across the batch. CVE-2026-56268, disclosed on June 22nd and affecting versions before 3.1.2, exposes chatflows across all workspaces via the /api/v1/chatflows/apikey/:apikey endpoint when the keyonly parameter is omitted. This can lead to cross-workspace information disclosure. Furthermore, CVE-2026-56267, disclosed on June 20th and impacting versions before 3.0.13, involves a PII disclosure through an unauthenticated forgot password endpoint, returning full user objects including sensitive data.
Authentication and authorization mechanisms are also targeted. CVE-2026-56276, disclosed on June 20th and affecting versions before 3.1.2, presents a mass assignment vulnerability in the PUT /api/v1/user endpoint, allowing authenticated users to override password hashes directly. This could lead to persistent access. CVE-2025-71337, disclosed on June 23rd and affecting versions before 3.0.10, details an unverified email change vulnerability in the account profile endpoint, allowing authenticated users to alter their email without confirmation. Finally, CVE-2025-71331, disclosed on June 20th and impacting versions before 3.0.8, contains cross-site scripting (XSS) vulnerabilities in chat messages and agent workflows due to insufficient input filtering, enabling the injection of malicious JavaScript.
The vendor has released patches for most of these vulnerabilities, with versions 3.1.2 and 3.0.13 addressing many of the issues. Users are strongly advised to update their Flowise instances to the latest available versions to mitigate these risks. The breadth of these vulnerabilities, from RCE to information disclosure and authentication bypasses, underscores the importance of diligent security practices and timely patching for Flowise users.
The coordinated disclosure of these nine vulnerabilities highlights critical security gaps in Flowise. The vendor has responded with patches, but the range of issues—including RCE, SSRF, and PII disclosure—necessitates immediate attention from users. Staying updated with the latest versions is crucial for maintaining the security and integrity of applications built with Flowise.