Flowise before version 2.1.4 permits attacker supplied configuration to be injected into the Chainflow during execution via the overrideConfig option. Because this feature is enabled by default and lacks an allow‑list of permitted variables, the malicious payload can execute arbitrary code, escape the vm2 sandbox, crash the server, perform server‑side request forgery, prompt injection, and exfiltrate server data. The vulnerability is self‑targeted and does not persist to other users, but it allows full compromise of the affected instance.

The vendor Flowise, with the product Flowise, is impacted. Any deployment running a Flowise 2.1.x series older than 2.1.4 is affected; versions 2.1.4 and later include the fix.

The CVSS score of 9.3 indicates a high‑severity remote code execution risk. The EPSS score is not available, so the current exploitation likelihood is uncertain; however, the lack of a KEV listing does not mitigate the potential for exploitation. Attackers can leverage the overrideConfig endpoint accessible via the frontend web integration or the backend Prediction API, and the vulnerability does not require persistence to impact other users. If an attacker can supply configuration through these interfaces, they can execute arbitrary code, crash the server, or exfiltrate data, leading to full compromise of the impacted AI service.