CVE-2026-46442: Flowise sandbox escape

CISO Take

Flowise's POST /api/v1/node-custom-function endpoint lacks route-level authorization, allowing any authenticated user or API key holder to submit arbitrary JavaScript to the Custom JS Function node; when E2B sandboxing is unconfigured—the default in most self-hosted deployments—that code runs inside a NodeVM sandbox that can be escaped to reach the host process and execute system commands via child_process. The blast radius is substantial: Flowise servers typically hold LLM API keys, vector DB credentials, and internal service tokens, making a successful compromise an immediate pivot point into the broader AI infrastructure stack. No EPSS data or public exploit exists yet given the CVE's recency, but NodeVM sandbox escapes are a well-documented attack class and the authentication bar is low in organizations using shared API keys or CI/CD service accounts. Upgrade to Flowise 3.1.2 immediately; if patching is delayed, block /api/v1/node-custom-function at the reverse proxy or WAF layer and audit all current API key holders.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH. Although authentication is required, this lowers the bar only marginally in environments with shared API keys, CI/CD service accounts, or multi-tenant deployments. The NodeVM sandbox escape technique is publicly known and the exploitation path is direct: craft a JavaScript payload, POST it to the unprotected endpoint, and gain shell access on the host. The absence of E2B_APIKEY—the default deployment posture—means the vulnerable code path is active in the majority of real-world Flowise installations. Post-exploitation, the host process context grants unrestricted access to environment variables, the filesystem, and the network, making this a high-confidence lateral movement and credential exfiltration vector against AI infrastructure.

How does the attack unfold?

Initial Access

Attacker obtains any valid Flowise user credential or API key through credential stuffing, a leaked .env file, or a shared team secret, satisfying the minimal authentication requirement.

AML.T0012

Exploitation

Attacker POSTs a crafted JavaScript payload to /api/v1/node-custom-function; the endpoint executes the code inside NodeVM without additional authorization checks.

AML.T0049

Sandbox Escape

The JavaScript payload traverses the prototype chain inside NodeVM to access the host's native process object, breaking the isolation boundary and reaching the underlying OS.

AML.T0105

Impact

Attacker executes arbitrary OS commands via child_process, exfiltrating LLM API keys and database credentials from the server environment or deploying a persistent reverse shell for continued access.

AML.T0050

Initial Access

Attacker obtains any valid Flowise user credential or API key through credential stuffing, a leaked .env file, or a shared team secret, satisfying the minimal authentication requirement.

AML.T0012

Exploitation

Attacker POSTs a crafted JavaScript payload to /api/v1/node-custom-function; the endpoint executes the code inside NodeVM without additional authorization checks.

AML.T0049

Sandbox Escape

The JavaScript payload traverses the prototype chain inside NodeVM to access the host's native process object, breaking the isolation boundary and reaching the underlying OS.

AML.T0105

Impact

Attacker executes arbitrary OS commands via child_process, exfiltrating LLM API keys and database credentials from the server environment or deploying a persistent reverse shell for continued access.

AML.T0050

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

PATCH

Upgrade to Flowise 3.1.2 immediately—this is the only complete remediation.
WORKAROUND

If patching is delayed, block POST requests to /api/v1/node-custom-function at the reverse proxy or WAF for all non-admin principals.
ISOLATE

Disable the Custom JS Function node via Flowise configuration if it is not operationally required.
SANDBOX

Configure E2B_APIKEY to route all code execution through the E2B cloud sandbox instead of local NodeVM, eliminating the vulnerable code path.
AUDIT

Enumerate all active user accounts and API keys; revoke any that are unnecessary, expired, or broadly shared.
DETECT

Monitor server logs for unexpected POST requests to /api/v1/node-custom-function and alert on anomalous child process spawns from the Flowise Node.js process (e.g., /bin/sh, cmd.exe, powershell.exe).

How is it classified?

Code Execution Auth Bypass Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE-2.4 - Risk treatments for identified AI risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-46442?

Flowise's POST /api/v1/node-custom-function endpoint lacks route-level authorization, allowing any authenticated user or API key holder to submit arbitrary JavaScript to the Custom JS Function node; when E2B sandboxing is unconfigured—the default in most self-hosted deployments—that code runs inside a NodeVM sandbox that can be escaped to reach the host process and execute system commands via child_process. The blast radius is substantial: Flowise servers typically hold LLM API keys, vector DB credentials, and internal service tokens, making a successful compromise an immediate pivot point into the broader AI infrastructure stack. No EPSS data or public exploit exists yet given the CVE's recency, but NodeVM sandbox escapes are a well-documented attack class and the authentication bar is low in organizations using shared API keys or CI/CD service accounts. Upgrade to Flowise 3.1.2 immediately; if patching is delayed, block /api/v1/node-custom-function at the reverse proxy or WAF layer and audit all current API key holders.

Is CVE-2026-46442 actively exploited?

No confirmed active exploitation of CVE-2026-46442 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46442?

1. PATCH: Upgrade to Flowise 3.1.2 immediately—this is the only complete remediation. 2. WORKAROUND: If patching is delayed, block POST requests to /api/v1/node-custom-function at the reverse proxy or WAF for all non-admin principals. 3. ISOLATE: Disable the Custom JS Function node via Flowise configuration if it is not operationally required. 4. SANDBOX: Configure E2B_APIKEY to route all code execution through the E2B cloud sandbox instead of local NodeVM, eliminating the vulnerable code path. 5. AUDIT: Enumerate all active user accounts and API keys; revoke any that are unnecessary, expired, or broadly shared. 6. DETECT: Monitor server logs for unexpected POST requests to /api/v1/node-custom-function and alert on anomalous child process spawns from the Flowise Node.js process (e.g., /bin/sh, cmd.exe, powershell.exe).

What systems are affected by CVE-2026-46442?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow automation, RAG pipelines, model serving.

What is the CVSS score for CVE-2026-46442?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow automationRAG pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

Compliance Controls Affected

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE-2.4

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.

Exploitation Scenario

An attacker with a low-privilege Flowise account—or a leaked API key recovered from a teammate's committed .env file—crafts a JavaScript payload that exploits a NodeVM sandbox escape by traversing the prototype chain to access the host's native process object. They POST this payload to /api/v1/node-custom-function, which executes without further authorization checks. The sandbox escape succeeds and the attacker invokes child_process.exec() to exfiltrate the contents of the server's environment, capturing the OpenAI API key, PostgreSQL credentials, and vector database access tokens stored there. With those credentials, the attacker pivots silently into the organization's broader AI infrastructure and production databases, maintaining persistence through a scheduled reverse shell before the intrusion is detected.