CVE-2026-46442

Name of the Vulnerable Software and Affected Versions flowise versions prior to 3.1.2

Description The endpoint "/api/v1/node-custom-function" lacks route-level authorization, allowing any authenticated user or holder of a valid API key to submit arbitrary JavaScript via the javascriptFunction parameter. When the E2B APIKEY variable is not configured, the system falls back to using a NodeVM sandbox for code execution. This sandbox can be escaped by abusing an exception path where an Error object allows recovery of the host Function constructor, granting access to the host process object and built-in modules such as child process. This enables authenticated remote code execution on the server host, allowing attackers to read environment variables, access the filesystem, and perform outbound network requests.

Recommendations Update to a version later than 3.1.1. Add explicit permission gating to the "/api/v1/node-custom-function" endpoint using the checkPermission middleware. Configure the system to fail closed if E2B APIKEY is absent instead of downgrading to NodeVM. Restrict access to the "/api/v1/node-custom-function" endpoint from generic API key access.