CVE-2026-56277
Summary
by MITRE • 07/01/2026
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2026
The vulnerability in Flowise versions prior to 3.1.2 represents a critical security flaw in the text-to-speech endpoint implementation that undermines the application's cross-origin resource sharing protection mechanisms. This issue specifically affects the packages/server/src/controllers/text-to-speech/index.ts file where the Access-Control-Allow-Origin header is hardcoded to accept requests from any origin, creating an unintended bypass of the server's intended CORS restrictions. The problematic configuration directly contradicts the secure default CORS policy established by the getCorsOptions() function, which should normally enforce strict origin validation for resource access.
The technical exploitation of this vulnerability enables attackers to leverage drive-by cross-origin credential abuse techniques that operate outside the normal security boundaries of the application. When a malicious webpage loads and makes a cross-origin request to the TTS generation endpoint, the hardcoded wildcard configuration allows the request to proceed without proper origin verification. This capability becomes particularly dangerous because the endpoint operates with stored credentials, meaning that authenticated sessions can be leveraged to generate text-to-speech content without explicit user consent or awareness. The vulnerability essentially transforms what should be a protected endpoint into an open channel for unauthorized audio generation requests.
From an operational impact perspective, this flaw creates significant risks for organizations using Flowise in production environments where sensitive data processing occurs through the text-to-speech functionality. Attackers can potentially abuse the service to generate audio content using legitimate user credentials, which could serve as a vector for data exfiltration or denial-of-service attacks. The bypass of CORS restrictions means that even users with restricted access levels might inadvertently expose their authenticated sessions to malicious actors who craft specially designed web pages to trigger TTS generation requests. This vulnerability directly relates to CWE-346, known as "Origin Validation Error", which specifically addresses issues where applications fail to properly validate the origin of cross-origin requests.
The exploitation pattern aligns with ATT&CK technique T1566.002 for credential harvesting through social engineering and web application attacks, while also demonstrating characteristics of T1071.004 for application layer protocol usage in command and control communications. Organizations should immediately implement mitigations including updating to Flowise version 3.1.2 or later where the CORS configuration has been properly addressed. The recommended fix involves ensuring that the text-to-speech endpoint respects the server's configured CORS policy rather than using a hardcoded wildcard, thereby maintaining consistent security boundaries across all API endpoints. Additionally, administrators should review and validate their current CORS configurations to ensure no other endpoints exhibit similar insecure patterns that could create analogous vulnerabilities in their deployment environments.