Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.
Published: 2026-06-08
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Flowise allows an authenticated user to submit arbitrary JavaScript code to a custom function endpoint that runs inside a NodeVM sandbox. Because the sandbox can be escaped, the attacker can access the host process object and execute system commands. This vulnerability is identified as a code injection flaw (CWE‑94) and results in the attacker gaining full control of the Flowise server.

Affected Systems

The affected products are FlowiseAI’s Flowise platform, specifically any deployment running a version older than 3.1.2 that uses the /api/v1/node-custom-function endpoint without route‑level authorization and without an E2B_APIKEY configured. Users with API keys or authenticated sessions are able to exercise this endpoint.

Risk and Exploitability

The CVSS score of 9.4 highlights a severe severity, and while the EPSS score is not available, the lack of a KEV listing indicates no known public exploitation yet. Nevertheless, an attacker with legitimate credentials can exploit the sandbox escape to run arbitrary code on the host. The vulnerability is exploitable in a normal deployment scenario where E2B_APIKEY is not set, making the risk high for typical users. Updating to the patched version removes the unprotected route and secures the sandbox.

Generated by OpenCVE AI on June 8, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise to version 3.1.2 or later to remove the unprotected route and fix the sandbox escape
  • Revoke or limit API keys that are not needed for trusted users so that only authorized users can access the custom function endpoint
  • If an upgrade is not immediately possible, block or disable access to /api/v1/node-custom-function until the fix is applied

Generated by OpenCVE AI on June 8, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rvc-vf7m-pgm2 FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
History

Thu, 11 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
Vendors & Products Flowiseai
Flowiseai flowise

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.
Title Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T14:35:49.756Z

Reserved: 2026-05-13T22:18:22.831Z

Link: CVE-2026-46442

cve-icon Vulnrichment

Updated: 2026-06-09T14:27:49.544Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:41.347

Modified: 2026-06-11T04:07:08.640

Link: CVE-2026-46442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:45:26Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')