Back to overview

CVE-2026-56277

MEDIUM
6.9
CVSS 4.0
Description
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.

Metadata

CVE ID
CVE-2026-56277
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-20 01:51 UTC
Published
2026-06-30 22:08 UTC
Last updated
2026-06-30 22:08 UTC
Primary CWE
CWE-346
Origin Validation Error
Vendor / Product
Flowise / Flowise
Sources
cve.org  ·  NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
Flowise Flowise 0 < 3.1.2, 3.1.2
Weakness (CWE)
CWESourceDescription
CWE-346 cna Origin Validation Error
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
References (2)
Back to overview