GHSA-m837-xvxr-vqwg: Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage

May 20, 2026

The TTS generation endpoint sets Access-Control-Allow-Origin: * as a hardcoded response header, independent of the server’s CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials.

References

github.com/FlowiseAI/Flowise/security/advisories/GHSA-m837-xvxr-vqwg
github.com/advisories/GHSA-m837-xvxr-vqwg

Code Behaviors & Features

Detect and mitigate GHSA-m837-xvxr-vqwg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →