Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured - the common deployment case - Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.
AnalysisAI
Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.
Technical ContextAI
Flowise is a Node.js-based low-code platform for building LLM workflows. The vulnerability sits at the intersection of two defects mapped to CWE-94 (Improper Control of Generation of Code): the /api/v1/node-custom-function route in packages/server/src/routes/node-custom-functions/index.ts is registered without the checkAnyPermission middleware used on peer routes like chatflows, so global /api/v1 authentication is the only gate. User-supplied javascriptFunction is forwarded through executeCustomNodeFunction into createCodeExecutionSandbox, which only routes to the external E2B sandbox when E2B_APIKEY is set; otherwise it falls back to @flowiseai/nodevm with eval:false and wasm:false. NodeVM is a userland JavaScript isolation library, not a kernel-level sandbox, and well-known prototype/constructor traversal techniques allow escaping to the host process object and invoking require('child_process'). Affected CPE is cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*.
RemediationAI
Vendor-released patch: 3.1.2. Upgrade to flowise 3.1.2 or later via https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2, which adds route-level authorization to /api/v1/node-custom-function and ships alongside several other security fixes in the same release. If immediate upgrade is not possible, configure E2B_APIKEY to force code execution through the external E2B sandbox instead of the in-process NodeVM fallback (trade-off: requires an E2B account and outbound network egress, and does not address the missing authorization itself); additionally restrict network access to the Flowise API to trusted operators only and rotate any API keys held by lower-trust users, since PR:L means any valid credential reaches the sink. As a stronger compensating control, place a reverse proxy in front of Flowise that blocks POST /api/v1/node-custom-function except from administrator source IPs (trade-off: breaks legitimate custom-function authoring for non-admin users). Consult the advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9rvc-vf7m-pgm2 for full details.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35110
GHSA-9rvc-vf7m-pgm2