Skip to main content

Flowise EUVDEUVD-2026-35110

| CVE-2026-46442 CRITICAL
Code Injection (CWE-94)
2026-06-08 GitHub_M GHSA-9rvc-vf7m-pgm2
9.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 08, 2026 - 18:18 vuln.today
Analysis Generated
Jun 08, 2026 - 18:18 vuln.today
Patch available
Jun 08, 2026 - 17:01 EUVD
CVSS changed
Jun 08, 2026 - 16:22 NVD
9.4 (CRITICAL)
CVE Published
Jun 08, 2026 - 15:30 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured - the common deployment case - Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.

AnalysisAI

Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.

Technical ContextAI

Flowise is a Node.js-based low-code platform for building LLM workflows. The vulnerability sits at the intersection of two defects mapped to CWE-94 (Improper Control of Generation of Code): the /api/v1/node-custom-function route in packages/server/src/routes/node-custom-functions/index.ts is registered without the checkAnyPermission middleware used on peer routes like chatflows, so global /api/v1 authentication is the only gate. User-supplied javascriptFunction is forwarded through executeCustomNodeFunction into createCodeExecutionSandbox, which only routes to the external E2B sandbox when E2B_APIKEY is set; otherwise it falls back to @flowiseai/nodevm with eval:false and wasm:false. NodeVM is a userland JavaScript isolation library, not a kernel-level sandbox, and well-known prototype/constructor traversal techniques allow escaping to the host process object and invoking require('child_process'). Affected CPE is cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: 3.1.2. Upgrade to flowise 3.1.2 or later via https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2, which adds route-level authorization to /api/v1/node-custom-function and ships alongside several other security fixes in the same release. If immediate upgrade is not possible, configure E2B_APIKEY to force code execution through the external E2B sandbox instead of the in-process NodeVM fallback (trade-off: requires an E2B account and outbound network egress, and does not address the missing authorization itself); additionally restrict network access to the Flowise API to trusted operators only and rotate any API keys held by lower-trust users, since PR:L means any valid credential reaches the sink. As a stronger compensating control, place a reverse proxy in front of Flowise that blocks POST /api/v1/node-custom-function except from administrator source IPs (trade-off: breaks legitimate custom-function authoring for non-admin users). Consult the advisory at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9rvc-vf7m-pgm2 for full details.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

EUVD-2026-35110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy