External risk intelligence

Flowise Authenticated Code Execution via NodeVM Escape

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-46442

A vulnerability in Flowise, a tool for building large language model flows, allows authenticated users to execute arbitrary JavaScript code, potentially leading to system command execution on the server. This could enable unauthorized control of the Flowise host environment.

4Halo Surface Signal

Code Injection

Flowiseai Flowise

before 3.1.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-46442

Flowise is a web-based application for building LLM flows. These platforms are typically deployed as internet-facing web services or APIs to support accessibility and collaboration. As a management interface with API endpoints, it is frequently exposed to the network, placing it in the category of likely internet-facing services.

PCI scan relevance

PCI Relevance for CVE-2026-46442

Yes

CVE-2026-46442 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Flowise allows authenticated users to execute arbitrary JavaScript, potentially leading to remote code execution on the server. This impacts systems processing sensitive payment card data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in Flowise, a tool used to build custom large language model flows. The flaw allows authenticated users to execute arbitrary JavaScript code, which can lead to system command execution on the server if not properly configured. This could enable unauthorized access and control of the Flowise host environment.

Unauthenticated code execution in Flowise.
Allows remote command execution on servers.
Confirm relevance and exposure; address if impacted.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access can exploit this vulnerability by sending a crafted POST request to the `/api/v1/node-custom-function` endpoint. This request allows them to submit arbitrary JavaScript code, which Flowise then executes within a NodeVM sandbox. If the `E2B_APIKEY` is not configured, this sandbox can be bypassed, granting the attacker access to system commands and ultimately leading to remote code execution on the server.

Authenticated access is required.
Submit arbitrary JavaScript via API.
Leads to authenticated remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When Flowise is deployed without proper configuration, authenticated users or API keys could submit arbitrary JavaScript. This code could then be executed on the Flowise server host, leading to remote code execution.

Server host system commands at risk.
Unauthenticated arbitrary JavaScript execution.
Compromised server and potential data access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this vulnerability. The first practical step involves identifying all instances of Flowise, assessing their reachability and criticality, and confirming the accountable owner before planning remediation.

Identify Flowise deployment owners.
Verify network reachability and criticality.
Plan remediation based on risk.

Frequently asked questions

What is Flowise?

Flowise is a visual, drag-and-drop platform designed for building customized workflows for large language models. It acts as an interface that connects various components to create LLM-driven applications. Because it serves as a management and development tool, it is typically hosted as a web application or API service that teams use to orchestrate and automate their model interactions.

What does CVE-2026-46442 mean for the application?

This vulnerability is classified as CWE-94, which involves the improper control of code generation or execution. In this specific case, it means the application fails to restrict the type of code users can provide to the Custom JS Function node. By submitting malicious JavaScript, an attacker can bypass internal safety boundaries, escape the execution sandbox, and run unauthorized system commands on the host server.

How does an attacker trigger this vulnerability?

The attack occurs when a user with existing credentials or an API key sends a specifically crafted request to the /api/v1/node-custom-function endpoint. Importantly, this flaw is contingent on the environment configuration; if the E2B_APIKEY is properly configured, the sandbox environment is significantly more secure. The critical risk arises when that key is missing, as the default sandbox provides insufficient protection against escaping to the host process.

Why should I care if my instance is internet-facing?

According to Halo Surface Signal, Flowise instances are frequently deployed as internet-facing services to facilitate remote collaboration and accessibility. Because the platform acts as an API-driven management console, an internet-exposed instance increases the likelihood that an attacker could reach the vulnerable endpoint, elevating the risk to the underlying host server infrastructure.

What is the first step to address this risk?

Your priority is to identify all running instances of Flowise within your environment and verify their current version. Since this issue is resolved in version 3.1.2, you should plan to update any systems running older versions immediately. Concurrently, assess the network exposure of these instances and ensure that access controls are strictly enforced to prevent unauthorized entities from reaching the management API.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.