← Back to all sparks
F

Flowise

AI-ASSISTANTS
Velocity2.5

Open-source low-code tool to build LLM apps and AI agents visually.

Flowise hardens its security surface while opening its flows to MCP clients.

llm-app-buildermcpsecurity-hardeningagentflowinteroperabilityself-hosted
Current state
Flowise's recent point releases mix security hardening with agent-builder features. The 3.1.x line has shipped fixes for clickjacking, credential leaks, mass assignment, and CORS, plus SSRF protection on by default — alongside agentflow improvements and, in 3.1.3, the ability to expose a chatflow as an MCP server. Cadence is bundled releases, not a steady stream.
Where it's heading
Two threads are converging: locking down a tool that runs untrusted LLM workflows, and making Flowise interoperable with the broader agent ecosystem. Exposing chatflows as MCP servers turns Flowise from a flow builder into a backend other assistants can call.
Prediction
Expect continued hardening of the self-hosted surface and more MCP/agent-interop wiring; the SSRF-by-default change signals a move toward secure defaults overall.

Recent moves

  1. 17d ago

    Flowise 3.1.3: chatflows can be exposed as MCP servers

    ⚡ SPARK

    3.1.3 bundles fixes (clickjacking, node-action notifications, Start-node form filtering) with a notable capability: any chatflow can now be turned into an MCP server — fitting the trajectory toward agent-ecosystem interop.

    View source ↗
  2. 2mo ago

    A security-focused release: fixes for a CORS-wildcard credential-abuse hole, mass assignment in the tools endpoint, a credential data leak, and MCP-server config hardening — admin-relevant patches, not cosmetic bug fixes.

    View source ↗
  3. 2mo ago

    [email protected]: Release/3.1.2 (#6215)

    A monorepo UI-package release snapshot (flowise-ui 3.1.2) carrying no standalone user-facing change.

    View source ↗
  4. 2mo ago

    [email protected]: Release/3.1.2 (#6215)

    A monorepo component-package release snapshot (flowise-components 3.1.2) with no standalone user-facing content.

    View source ↗
  5. 3mo ago

    3.1.1 adds a rich-text editor for content editing and migrates Weaviate to the v3 client, alongside path-traversal and agentflow parameter fixes — incremental builder improvements with security patches.

    View source ↗
  6. 3mo ago

    3.1.0 turns on HTTP security validation by default, using a built-in deny list to block SSRF-style requests to internal addresses — a breaking but defensive default-hardening change for self-hosted deployments.

    View source ↗