AI and ML, Potential Risk of CVE

CVE-2026-46442: Regarding Flowise versions prior to 3.1.2 (June 10, 2026)

Leave a comment

Preface: Flowise is an open-source, low-code tool that enables users to build customized Large Language Model (LLM) orchestration flows and AI agents using a visual, drag-and-drop interface based on LangChain. It allows for rapid development of AI applications without extensive coding, connecting LLMs (OpenAI, Anthropic, Local via Ollama) with tools, vector stores, and memory.

Background: When you install Flowise in a Docker container, the NodeVM sandbox environment is included within that same container. Flowise uses this NodeVM to securely execute custom JavaScript code (e.g., in Custom JS Function nodes) inside its own runtime environment.

NodeVM (a class from sandboxing libraries like vm2) is a software mechanism used inside JavaScript code to run untrusted code in an isolated scope. NVM (Node Version Manager) is a command-line developer utility used to install and switch between different versions of Node.js on a local machine or server.

Best Practices for Production

Enable Strict Sandbox: Always ensure the JAVASCRIPT_SANDBOX environment variable is set to true in your Docker compose file to prevent unrestricted Node module imports.

Limit Container Privileges: Run the Docker container as a non-root user to minimize damage if a sandbox escape occurs.

Restrict Network Egress: Use Docker network policies to block the Flowise container from accessing sensitive internal networks or databases it does not need.

Vulnerability details: Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host.

Remedy: This issue has been patched in version 3.1.2.

Official announcement: Please refer to link for details – https://www.tenable.com/cve/CVE-2026-46442

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.