CVE-2026-56277
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
The vulnerability in Flowise before version 3.1.2 sets the Access-Control-Allow-Origin header to a hardcoded wildcard (*) on the text-to-speech (TTS) generation endpoint. This bypasses the server's configured CORS policy and allows any webpage to make cross-origin requests using stored credentials.
Risk Assessment
The risk involves a drive-by attack where a malicious webpage can exploit stored user credentials to generate speech without consent, leading to unauthorized resource usage and potential data leakage.
Recommendation
Immediately update Flowise to version 3.1.2 or later, which fixes this vulnerability by properly applying the configured CORS policy to the TTS endpoint.
Original NVD description (English source)
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.

