HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46442Published Modified CNA GitHub_M

CVE-2026-46442: Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authenticated remote code execution vulnerability affects Flowise, the drag-and-drop LLM flow builder. Any authenticated user or API key holder can submit arbitrary JavaScript to the POST /api/v1/node-custom-function endpoint, which, in the common deployment case where E2B_APIKEY is not set, executes that code inside a NodeVM sandbox that can be escaped to reach the host process and run system commands. Successful exploitation gives the attacker full command execution on the Flowise server host. A patched-image rebuild at version 3.1.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46442 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Flowise images, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.4 Critical and weights it against each environment's compliance policy, surfacing it with appropriate severity to the right team inbox inside each customer org.

Available
Patch

Because no upstream fix has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild at the fix version available the moment the upstream patch ships. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Flowise HTTP API from across the network.

  • AuthenticationRequired

    Any low-privilege account or valid API key is sufficient; no administrative access is needed.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends a crafted HTTP request directly to the endpoint.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or special environmental layout are required to escape the NodeVM sandbox.

Blast Radius

  • Attacker executes arbitrary operating system commands on the Flowise server host via child_process after escaping the NodeVM sandbox.
  • All files, environment variables, and secrets accessible to the Flowise process (including database credentials, API keys, and LLM provider tokens) are readable.
  • The attacker can modify or delete persisted flow configurations, stored credentials, and any data on filesystems mounted to the host.
  • Compromise extends to systems reachable from the Flowise host, as the attacker controls a full shell on the server (CVSS v4 downstream Scope tokens SC:H, SI:H, SA:H indicate high impact on subsequent systems).

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46442 is active across all customer environments scanning Flowise images, including custom-built variants. Because no upstream fix version has been published at this time, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment FlowiseAI ships a fix. For customers who opt into auto-remediation, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads, with no manual intervention required. While no patch is available, compensating controls worth considering include restricting network access to the Flowise API to trusted internal networks via Kubernetes NetworkPolicy or equivalent ingress controls, auditing and rotating any API keys or credentials accessible to the Flowise process environment, and, where operationally feasible, setting E2B_APIKEY to route custom function execution off-host to the E2B sandbox rather than relying on the bypassable NodeVM. HarborGuard will surface the patched rebuild to affected environments as soon as the upstream fix is confirmed.

See how HarborGuard automates this
Affected packages
  • FlowiseAI / Flowise
    < 3.1.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References