CVE-2026-41271: Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains

April 16, 2026 (updated April 24, 2026)

A Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI’s POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8
github.com/advisories/GHSA-6r77-hqx7-7vw8
nvd.nist.gov/vuln/detail/CVE-2026-41271

Code Behaviors & Features

Detect and mitigate CVE-2026-41271 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →