CVE-2026-43995 Overview
CVE-2026-43995 is a Server-Side Request Forgery (SSRF) vulnerability in Flowise, a drag-and-drop user interface for building customized large language model (LLM) flows. Versions prior to 3.1.0 contain multiple tool implementations that directly import and invoke raw HTTP clients such as node-fetch and axios instead of routing requests through the application's secured wrapper. The affected components include OpenAPIToolkit/OpenAPIToolkit.ts, WebScraperTool/WebScraperTool.ts, MCP/core.ts, and Arxiv/core.ts. The flaw is tracked under CWE-918: Server-Side Request Forgery.
Critical Impact
An authenticated low-privileged user can issue outbound HTTP requests through Flowise tools that bypass internal URL filtering, enabling reconnaissance and limited interaction with internal network resources.
Affected Products
- Flowise versions prior to 3.1.0
- Flowise OpenAPIToolkit and WebScraperTool modules
- Flowise MCP/core.ts and Arxiv/core.ts tool integrations
Discovery Timeline
- 2026-05-11 - CVE-2026-43995 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43995
Vulnerability Analysis
Flowise centralizes outbound HTTP communication through a secured wrapper that enforces URL validation, host allow/deny lists, and protection against requests to internal addresses. Several tool implementations in versions prior to 3.1.0 bypass this wrapper. Instead of using the sanctioned client, the code imports node-fetch and axios directly and issues requests without the protective controls.
The affected tools accept URLs or request parameters that originate from user-controlled LLM flow inputs. Because these requests skip the secured wrapper, an attacker can direct Flowise to fetch arbitrary internal endpoints. This includes cloud metadata services, internal management interfaces, and other hosts that are reachable only from the Flowise server.
Root Cause
The root cause is inconsistent enforcement of outbound HTTP policy across the codebase. Developers added new tool modules that re-implement HTTP calls using third-party clients rather than the centralized wrapper. The result is a partial control surface where four tool modules silently bypass SSRF defenses that apply elsewhere in the application.
Attack Vector
Exploitation requires network access to the Flowise instance and low-privileged authenticated access to configure or invoke a flow that uses one of the affected tools. The attacker supplies a target URL pointing at an internal resource. The vulnerable tool fetches the URL using the raw HTTP client and returns content or behavior back into the LLM flow context. See the Flowise GitHub Security Advisory GHSA-qqvm-66q4-vf5c for full technical details.
Detection Methods for CVE-2026-43995
Indicators of Compromise
- Outbound HTTP requests from the Flowise process targeting RFC1918 addresses, 127.0.0.1, or cloud metadata endpoints such as 169.254.169.254.
- Flowise audit log entries showing repeated invocation of OpenAPIToolkit, WebScraperTool, MCP, or Arxiv tools with unusual or internal URLs.
- Unexpected User-Agent strings consistent with node-fetch or axios defaults from the Flowise host to internal services.
Detection Strategies
- Inspect egress network telemetry for connections from Flowise servers to internal subnets, metadata services, and management ports.
- Review application logs for tool invocations with URLs that do not match expected external API destinations.
- Compare deployed Flowise version against 3.1.0 and flag instances running earlier releases.
Monitoring Recommendations
- Forward Flowise application and reverse proxy logs to a centralized analytics platform and alert on internal IP destinations.
- Monitor for spikes in outbound request volume from the Flowise host to non-public endpoints.
- Track newly added flows and tool configurations introduced by low-privileged users.
How to Mitigate CVE-2026-43995
Immediate Actions Required
- Upgrade Flowise to version 3.1.0 or later, which routes the affected tools through the secured HTTP wrapper.
- Audit existing flows that use OpenAPIToolkit, WebScraperTool, MCP, or Arxiv tools and remove any unexpected URL targets.
- Restrict Flowise egress at the network layer to only the external API hosts required for legitimate workflows.
Patch Information
The vulnerability is fixed in Flowise 3.1.0. The patch refactors OpenAPIToolkit/OpenAPIToolkit.ts, WebScraperTool/WebScraperTool.ts, MCP/core.ts, and Arxiv/core.ts to invoke requests through the centralized secured HTTP client. Patch details are documented in the GitHub Security Advisory GHSA-qqvm-66q4-vf5c.
Workarounds
- Block outbound access from the Flowise host to internal address space and cloud metadata IPs using host or network firewalls.
- Disable or remove the affected tool modules from available flow components until the upgrade is applied.
- Require elevated approval for creating or editing flows that include HTTP-fetching tools.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
