CVE-2026-46442

Confirmed PUBLISHED

Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape

FlowiseAI · Flowise

Not yet in CISA KEV

Exploited in the wild Active exploitation observed

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
22
Unique Attacker IPs
9
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
9.4 Critical EPSS 0.8%

At a Glance

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.

CVE Published
Jun 08, 2026
Exploitation Reported
Jul 13, 2026
CVSS
9.4 Critical
EPSS
0.8%
Remote Low complexity No user interaction

Affected Versions

Vendor Product Version Status
FlowiseAI
Flowise

< 3.1.2

Affected

CVE References

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.